Assistance with Firewall Application
Hi everyone, I am new to the forums, fairly new to pfSense, and limited networking skill set. So, that out of the way, I am hoping that someone here is possibly able to assist me on an issue we have just recently ran into.
I have attached a PDF of my current network setup and some other details, here is a brief description:
We have two locations, Site A and Site B.
Each location has a pfsense firewall serving as default gateway for internet access.
There is a server in Site A hosting an application for Site B to use over port 12345.
Previously, we have used an IPSEC tunnel to connect the sites and the application works wonderfully.
We have recently implemented fiber at each location to connect the sites. If I take down the IPSEC tunnel, and route the traffic for each site to the other over the new private LAN fiber link, this application does not work. Ping works both ways, telnet on port 12345 works.
Again, more details can be found in the attached PDF file.
Anyone possibly have any pointers or tips on what I should look at with my configuration to figure out why this isn't working as it should be?
Please let me know any other information I can supply.
I am currently running the IPSEC tunnel still over our internet circuits so that the user at Site B can connect her application to the server at Site A. I would like to get rid of this if possible though and utilize our private LAN connection (unless that is a bad idea or something that I won't see any benefit of doing?)
I am quite green on pfSense and my networking is only basic. I am the sole IT for my company, and have inherited this device.
viragomann last edited by
The default gateway should sit in the communication line, not beside.
This way you will get an asymmetric routing issue, because requests from the client are directed to pfSense, and there redirected to the router while responses come from the router directly.
So to solve, you can set the routes to the other site on client and server.
Other way is to connect the Vendor routers to a separate fSense interface and give them another subnet, or to set them into a VLAN.
Thank you for your response.
I had a feeling that I was dealing with an asymmetric routing issue based on what I was reading online. I was looking at this page: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
I had also figured that putting the traffic on a separate pfSense interface would resolve the issue also…in my previous job we had a Fortinet and handled this type of connection that way and it worked.
When you indicated to "set the routes to the other site on client and server" - are you indicating to manually set routes on the client and the server devices? or change the static routes that I have set on the pfsense at each location?
I had also been toying with the idea of setting my switches as my default GW - they are L3. We have a data and voice vlan at each site. I assume that would also resolve this as well because the client and server would be getting their routes from the switches, which is "in the communication line".
"I had also been toying with the idea of setting my switches as my default GW"
The what would pfsense do??
Your problem is that you have these vendor routers on your lan network vs a transit network.. The connection to the vendor routers should be a transit network to pfsense..
They would continue to act as edge firewalls sitting between the internal LAN and the internet. We have a DIA circuit at each location. They also function as OpenVPN servers for incoming SSL client connections.
I am debating either adding NIC to my existing pfsense to accommodate another interface, or trying some of the route changes previously mentioned by viragomann, pending clarification.
Ideally I do want to have them on transit network eventually once my hardware allows it.
What would be the negatives in having my L3 switches act as the default gateways for my devices? I know for my Private LAN connection, this would mean the firewall is being entirely bypassed for traffic between the sites, and obviously there is risk that goes with that.
Are there any other faults that would arise from changing my default gateways to the switches?
Or is it just that while there are no major disadvantages, there are also no clear advantages?