Dual Internet, PBR, Virtual pfSense



  • Hi,

    Im trying to put together a rather interestingly designed network where I can route different vlans out of different internet connections using policy based routing. On top of this, I want to use pfSense as a transparent firewall for specific vlans which PBR directs to the firewall. From there I want to continue to have the packets tagged with the vlan tags so I can do more vlan routing on the external side of pfSense. pfSense doesn't have the Internet links attached directly to it, they reside in their own transit vlans on my switch. pfSense resides as a VM on my ESXi host which also adds more compelxity into the mix

    So far I have all of the routing and everything working without pfSense. I can route specific vlans to specific routers to egress out the internet connections they need to. I need to figure out a way to add pfSense to the mix and I cant come up with a working solution. I think the biggest issue I am going to have is somehow forwarding the return traffic back through the pfSense rather than going to the directly connect vlan interface. I have a network diagram which i've attached to give a visual perspective. But utlimatley what I want to achieve are the following scenarios.

    VLAN20-23 traverse the pfSense firewall, then at a more granular level have vlan21 egress out the VDSL, vlan 22 egress out of the 100mbit fibre and vlan23 egress out the 10mbps fibre.
    Any vlan that doesn't have a PBR rule to force it via the pfSense will just traverse the default route to which ever internet egress that turns out to be.

    To be honest i'm still trying to establish if this is even feasable, I cant work out how the reverse routing is going to get the packets from the vlan the router interface resides into the pfSense external interface. Any advice/things to consider would be fantastic. I haven't even been able to get the pfSense to pass any traffic yet, even with fully open rules so until I can work out the correct way to route this im a bit dead in the water.

    Thanks,
    Alex



  • This is very similar to my setup, I have multiple VLAN's for my LAN's and I run pfSense as a virtual machine on ESX. I also have dual upstream routers and route certain VLAN's certain ways, some transparently and some with more strict rules and policies.

    VLAN20-23 traverse the pfSense firewall, then at a more granular level have vlan21 egress out the VDSL, vlan 22 egress out of the 100mbit fibre and vlan23 egress out the 10mbps fibre.
    Any vlan that doesn't have a PBR rule to force it via the pfSense will just traverse the default route to which ever internet egress that turns out to be.

    You can certainly have traffic for a specific VLAN routed to a specific gateway, that's no problem (VLAN21,22,23 as described).
    The rest of the VLAN's could either rely on pfSense's default routing and gateways, or have a specific gateway group that load balances or fails over between the upstreams as you need.

    I'd recommend you start building and come back with specific questions as you can't figure stuff out  8)



  • Hi PacketLoss

    I guess so far my biggest issue seems to be the return route.

    The router is effectively hosting the core of the network, an SVI for each vlan etc. I can either set the default route to the be the IP of the LAN interface of the pfSense or I can use PBR to point vlans to the LAN interface of the pfSense box. That works fine and traffic goes out. However, my issue arrises when it comes back in, the router because its directly connected to every VLAN can just pass the packet back to the host completely bypassing the pfSense WAN port thus creating an asymmetric route which pfSense then goes on to block further traffic. How do you get around the return route issue for packets coming back in. Currently in my design im only using 1 internet connection which is sitting in the mgmt vlan.

    The current configuration is:

    pfSense WAN is in vlan 102
    pfSense LAN is in vlan 101

    I am using a 3650 as my router, the internet connection is in vlan 100.

    I am using ip route  0.0.0.0 0.0.0.0 10.59.219.10 (pfSense LAN) and then the pfSense WAN has a router IP (10.59.219.2 vlan 100).

    Going from LAN -> Internet or LAN <-> LAN is fine, its when the packet comes back in from the router interface in vlan 100, it bypasses the pfSense box and sends it directly to the client vlan (21,22,23 etc) thus thats where the asymmetric routing shows up. How do I force the packets to go back via the WAN interface of the pfSense?

    Thanks