Routing from WAN to DMZ (routing loop ?)

packetfilter · Mar 23, 2017, 10:50 AM

Hello,

Here is our configuration :

A DMZ network (192.168.201.0/24), which has its own internet access (not pfsense) and is connected to a firewall (not pfsense) which has an interface in the main LAN (192.168.1.253).
The main LAN is 192.168.1.0/24 and its main gateway is pfsense (192.168.1.254/24)
The WAN interface of pfsense is connected to our ISP's router (192.168.100.250/24) which serves as the primary internet access and VPN-MPLS gateway with other sites defined as 192.168.x.x/24.

Everything works fine : the DMZ is accessible from internet (secondary access) and can be reached from LAN. LAN and VPN sites can communicate without problem, internet works fine etc…

BUT I'm unable to make VPN sites (192.168.x.x/24) to contact the DMZ's servers (192.168.201.0/24).
When I try to ping the DMZ from pfsense WAN (LAN interface works fine) it shows :

PING 192.168.201.10 (192.168.201.10) from 192.168.100.200: 56 data bytes
36 bytes from 192.168.100.250: Redirect Host(New addr: 192.168.100.240)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 28 0054 4909 0 0000 40 01 8254 192.168.100.200 192.168.201.10

It looks like pfsense and my ISP router are playing ping pong instead of forwarding it to the DMZ firewall (192.168.1.253)
192.168.100.200 and 192.168.100.240 are the same (virtual ip cluster)

And it gets weirder : if I try to ping a random IP in the LAN from the WAN interface, I get the same output…

At this point I'm completely lost, if somebody could help...

Thanks !

johnpoz · Mar 23, 2017, 12:40 PM

"which has an interface in the main LAN (192.168.1.253)."

huh?? So your dmz is also connected to your lan?? Or this other router on your dmz??

So you have this?? So the vpn are from the mpls router to remote sites? Or from pfsense to remote sites via the mpls?

Is this correct as drawn? And we can go from there..

packetfilter · Mar 23, 2017, 1:17 PM

Thanks for your quick reply !

The DMZ is connected to the LAN and internet via an IPFire distro.
For the rest of your diagram, it's correct, pfsense only relays outgoing data to the ISP router which handle the VPN connection.

MaxPF · Mar 23, 2017, 4:49 PM

I would get rid of the LAN facing interface on the IPFire box and create a transit network between pfSense and the IPFire box intead, ideally a /30 network. Once you setup the appropriate static routes everything will work just the way you want it.

johnpoz · Mar 23, 2017, 7:23 PM

"The DMZ is connected to the LAN and internet via an IPFire distro."

So you have a downstream router/firewall this ipfire box that hangs off your LAN? Yeah that is not good.. All kinds of asymmetrical routing could be happening.

MaxPF has it right if your going to have a downstream router it should be on a transit network..

packetfilter · Mar 24, 2017, 9:14 AM

Here is the network attached.

I get your point but the pfsense server only has 2 network interfaces. But still, I don't understand why I can't ping a LAN ip from the WAN interface, since pfsense is directly attached to the destination network, the routing process should be transparent…

johnpoz · Mar 24, 2017, 12:44 PM

Nice drawing thanks!! Make its much easier to visualize your setup.

"I can't ping a LAN ip from the WAN interface,"

What exactly are you trying to ping and from where?

If you do not have another interface in pfsense - just use a vlan on your lan interface.. I would hope your switch in your lan is vlan capable??

if not you could aways get a cheap vlan switch with a few ports and use it to split the vlans before you connect to your ipfire and your other dumb switch. Does your pfsense have room for another interface if so - nics can be had for cheap..

That setup is a asymmetrical nightmare ;)

packetfilter · Mar 24, 2017, 1:07 PM

On the pfsense web interface, I go to Diagnostics -> Ping, I select the WAN interface as source address and I get the same output :

PING 192.168.1.2 (192.168.1.2) from 192.168.100.240: 56 data bytes
36 bytes from 192.168.100.250: Redirect Host(New addr: 192.168.100.240)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 28 0054 2c45 0 0000 40 01 66f9 192.168.100.240 192.168.1.2

Which makes me think that's not just a routing problem.

By asymmetrical, you mean that the DMZ will answer to the VPN sites by taking another path ? That is not possible because the DNS they are using makes the DMZ unreachable via internet.

johnpoz · Mar 25, 2017, 3:24 PM

What I mean by asymmetrical is your lan devices, unless they have host routing to point to the ipfire to get to the dmz are going to be hairpin and then asymmetrical return.. 1st pic.

Now on your vpn devices getting to your dmz.. What is the routes on the ipfire for 192.168.x that is in your vpn/mpls cloud?? 2nd pic.

packetfilter · Mar 27, 2017, 12:06 PM

Hello,

Thanks, I have totally forgotten to add a route on ipfire, I can be dumb sometimes…

johnpoz · Mar 27, 2017, 12:34 PM

So your hosts have routes into the dmz on them? If not its an asymmetrical condition.

packetfilter · Mar 29, 2017, 8:36 AM

Yes, you're right it's asymetrical.
It's working now but we'll upgrade the pfsense with some NICs later…

Thanks again.