Static routing to same LAN
-
Hi Johnpoz,
Thanks for your answer. Here you have the network diagram. Feel free to ask any more information you need.
-
Yeah it shouldn't be like that.. For starters why would you put voice on the same segment? And how is your gateway to internet same as your lan? If you have to double nat then it needs to be different than pfsense wan or any other networks it will nat too, etc. Anyway It really should be more like this.
As to your voice.. Are those to like phones? Or your doing software voip that needs to go to your say your computers? And you just need to route that over a different network? If so then it too should be on a transit network connected to pfsense.. That does not overlap with any of your other networks.
-
I will try to answer 1 by 1.
Voice, the voice uses another subnet 192.168.41.X but it has a router that route internal calls (by internal I mean from Site to Site) to another router with a configured VPN with the destination site. I don't know too much about how it works but I know that it receives voice data on 192.168.1.4 from other sites.
Internet, we aren't directly connected to Internet, we use a MPLS, and the router that provides access is configured by the ISP and it will be a pain in the ass to do changes to the Ip address.
Also ip address changes will affect configurations on other sites, that's the main point of why I want to avoid doing them and keep the same ip address configuration for the involved devices. Can't that be done with pfsense you mean?
Thanks for your time.
-
Well you don't have to change the IP of your isp routers lan side, but you can not use that on your other networks. Since they would overlap. So your lan needs to just use a different network.
How was this setup before pfsense?
Sounds like you need to make this 192.168.1 your transit network and then put your lan behind pfsense.. so like this.
You would then create your routes on pfsense to use those gateways to get to whatever networks are reached via those gateways and your default would be towards your internet gateway.
-
Hi Johnpoz,
I think we are not understanding each other, my bad I'm not english native and maybe I'm not expresing in words quite well what I mean.
Let's start from the begining.
I have a Cisco router with the following configuration:
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7
!
clock timezone GMT 2
ip subnet-zero
!
!
ip name-server 194.179.1.100
ip name-server 194.179.1.101
!
!
!
!
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.21
ip route 80.58.181.0 255.255.255.0 192.168.1.3
ip route 192.168.0.0 255.255.255.0 192.168.1.2
ip route 192.168.2.0 255.255.255.0 192.168.1.2
ip route 192.168.3.0 255.255.255.0 192.168.1.3
ip route 192.168.10.0 255.255.255.0 192.168.1.2
ip route 192.168.11.0 255.255.255.0 192.168.1.200
ip route 192.168.20.0 255.255.255.0 192.168.1.2
ip route 192.168.21.0 255.255.255.0 192.168.1.4
ip route 192.168.30.0 255.255.255.0 192.168.1.2
ip route 192.168.31.0 255.255.255.0 192.168.1.9
ip route 192.168.40.0 255.255.255.0 192.168.1.2
ip route 192.168.41.0 255.255.255.0 192.168.1.4
ip route 192.168.50.0 255.255.255.0 192.168.1.2
ip route 192.168.61.0 255.255.255.0 192.168.1.9
ip route 192.168.100.0 255.255.255.0 192.168.1.3
ip route 192.168.101.0 255.255.255.0 192.168.1.3
ip route 213.229.149.199 255.255.255.255 192.168.1.3
no ip http server
ip pim bidir-enable
!
!
logging trap debugging
logging 192.168.1.67
!
snmp-server community public RO
snmp-server host 192.168.1.16 version 2c SNMPv2c
!
line con 0
line aux 0
line vty 0 4
password 7
login
!
no scheduler allocate
sntp server 192.168.1.7
endIt's a bit more complex that I the hypothetical scenario I explained to you but I thought it would be enough to understand the problem. As you can see this router distribute the traffic depending on the destination. The problem is that this router is a very old one (more than 10 years) and I want to change it. To change I thought in pfsense cause is a software solution that can be installed in a virtual environtment, so I can have copies of it for redundancy. It just need to route traffic, don't need firewall rules, NAT or anything else, just make the data reach the proper gateway for it's destination. I don't have a transit network.
Right know I'm testing pfsense with ip address 192.168.1.10 but I told you 192.168.1.1 because that would be the final ip address, I just want to configure pfsense so it can substitute this old firewall without doing any change (if possible) on other devices. Cisco routers permit configuring just one LAN interface without a WAN one for using them as "internal" routers.
Ok, now that you have the whole information, let's see if we can understand each other.
Thanks for your support!
-
So you want to replace the cisco router with pfsense.. Yeah that is better solution completely!!
Yes pfsense can do that without any issues.
It looks to me like your doing a router on stick, and have what amounts to a bunch asymmetrical routing.. I would not do it that way!!!
If you have a router at 192.168.1.1, and also devices on 192.168.1.0/24 that use this as their gateway to be sent to other 192.168.1.x address to get to other networks you have asymmetrical setup.. While it can work - its not good idea at all..
So simplified you have this.. So for example your default route is that .21 address. So some other router.. So in my drawing if a device on your 192.168.1 network wants to go to the internet it hits your router at 192.168.1.1 (red arrow) just to be sent back out the same interface (hairpin) to go to the 192.168.1.21 router to go to the internet. The return traffic will just go back to your client (green arrow) vs going back to your router on a stick.
It would do this no matter what other network you want to go to.. You should get rid of your router on a stick and put your network behind what amounts to a transit network (192.168.1.0/24). This network has other routers to get to other networks. So this becomes your transit network. Your devices would then be on some other network.. See second drawing. So I didn't see 192.168.4/24 in your setup, so your devices would be put on 192.168.4/24 behind pfsense - pfsense does not have to firewall or nat. It can just route if that is what you want. But why not leverage the firewall part as well?
Anyway now your symmetrical in your flow.. So if going to the internet your devices go to pfsense gateway of 192.168.4.1 for example. Pfsense send to its gateway for internet the 192.168.1.21 router.. Flow coming back goes back to pfsense 192.168.1.x address. Which it then sends on to your clients on 192.168.4
If they are going to some other network, pfsense routes to that specific gateway to get to that network, the return path flows symmetrical back through pfsense and then on to your 192.168.4 device. You do not have to nat this nor firewall it if you do not want to..
-
Hi Johnpoz,
I see your point, and you are right that would be a better solution, the problem is that there are server in the 192.168.1.x with fixed ip that would need some testing before their ip addresses can be changed, I will have to check if it's better changing the computers to the 192.168.4.x or keep the 192.168.1.x for them and change the gateway addresses to 192.168.4.x. The problem is that no matter the option I choose I need to speak with other people that are at charge of doing this jobs and they will need to do changes and testing, so it will take some time.
Is there a solution to configure Pfsense like it is my cisco router right now and keep the other changes in mind for the future?
I assume that in your suggested configuration the only thing I will have to do is configure pfsense with LAN (192.168.1.1) and WAN (192.168.4.1) and do the routing to the new ip addresses on gateways (192.168.4.x) or if I change the servers ip addresses pfsense LAN ip address will be (192.168.4.1) and WAN will be (192.168.1.1) is that correct?
I really thank you that you spend your time helping me.
-
So you want to change out your cisco and do the same router on stick nonsense with asymmetrical routing?
While you "could" do that - sorry I don't help setup borked nonsense ;) hehehe That would be horrific idea - who ever setup it up like it is in the first place shouldn't be touching networking gear…
-
Hi, Johnpoz,
Hahaha, maybe you are right. The problem is that in your scenario (I will try to get asap) I need to coordinate with some other people, some of them with a different time zone than mine, so it will take some time to do it. It would be easier to change ip addresses of LAN servers but I don't like the idea of changing ip addresses on dcs or exchange servers.
So my idea is to change the cisco router right now and use the same configuration on the pfsense. And in a future (I hope a near future) do the changes to get your proposed scenario.
Right now I have disabled WAN interface and I have configured an upstream gateway in the LAN interface pointing to the gateway for internet browsing, and that seems to work. But I have some problems with RDS, when I try to connect to a server on other site it works but while you are connected it seems to freeze sometimes, and the same with a local program that connects to a DB on other site. Voice (even with other sites) and Internet browsing are fine. If I ping the servers with freeze problems the response times are more or less the same, so I don't have any clues why can be this happening.
Can you help me with that? Thanks.
-
Help you with why asymmetrical causes issues in applications? Yeah its going to be hit and miss - its a borked config, there is little use trying to make it work.