Routing from WAN to DMZ (routing loop ?)



  • Hello,

    Here is our configuration :

    A DMZ network (192.168.201.0/24), which has its own internet access (not pfsense) and is connected to a firewall (not pfsense) which has an interface in the main LAN (192.168.1.253).
    The main LAN is 192.168.1.0/24 and its main gateway is pfsense (192.168.1.254/24)
    The WAN interface of pfsense is connected to our ISP's router (192.168.100.250/24) which serves as the primary internet access and VPN-MPLS gateway with other sites defined as 192.168.x.x/24.

    Everything works fine : the DMZ is accessible from internet (secondary access) and can be reached from LAN. LAN and VPN sites can communicate without problem, internet works fine etc…

    BUT I'm unable to make VPN sites (192.168.x.x/24) to contact the DMZ's servers (192.168.201.0/24).
    When I try to ping the DMZ from pfsense WAN (LAN interface works fine) it shows :

    PING 192.168.201.10 (192.168.201.10) from 192.168.100.200: 56 data bytes
    36 bytes from 192.168.100.250: Redirect Host(New addr: 192.168.100.240)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  28 0054 4909  0 0000  40  01 8254 192.168.100.200  192.168.201.10

    It looks like pfsense and my ISP router are playing ping pong instead of forwarding it to the DMZ firewall (192.168.1.253)
    192.168.100.200 and 192.168.100.240 are the same (virtual ip cluster)

    And it gets weirder : if I try to ping a random IP in the LAN from the WAN interface, I get the same output…

    At this point I'm completely lost, if somebody could help...

    Thanks !


  • Rebel Alliance Global Moderator

    "which has an interface in the main LAN (192.168.1.253)."

    huh??  So your dmz is also connected to your lan??  Or this other router on your dmz??

    So you have this??  So the vpn are from the mpls router to remote sites?  Or from pfsense to remote sites via the mpls?

    Is this correct as drawn?  And we can go from there..




  • Thanks for your quick reply !

    The DMZ is connected to the LAN and internet via an IPFire distro.
    For the rest of your diagram, it's correct, pfsense only relays outgoing data to the ISP router which handle the VPN connection.



  • I would get rid of the LAN facing interface on the IPFire box and create a transit network between pfSense and the IPFire box intead, ideally a /30 network. Once you setup the appropriate static routes everything will work just the way you want it.


  • Rebel Alliance Global Moderator

    "The DMZ is connected to the LAN and internet via an IPFire distro."

    So you have a downstream router/firewall this ipfire box that hangs off your LAN?  Yeah that is not good.. All kinds of asymmetrical routing could be happening.

    MaxPF has it right if your going to have a downstream router it should be on a transit network..



  • Here is the network attached.

    I get your point but the pfsense server only has 2 network interfaces. But still, I don't understand why I can't ping a LAN ip from the WAN interface, since pfsense is directly attached to the destination network, the routing process should be transparent…



  • Rebel Alliance Global Moderator

    Nice drawing thanks!!  Make its much easier to visualize your setup.

    "I can't ping a LAN ip from the WAN interface,"

    What exactly are you trying to ping and from where?

    If you do not have another interface in pfsense - just use a vlan on your lan interface..  I would hope your switch in your lan is vlan capable??

    if not you could aways get a cheap vlan switch with a few ports and use it to split the vlans before you connect to your ipfire and your other dumb switch.  Does your pfsense have room for another interface if so - nics can be had for cheap..

    That setup is a asymmetrical nightmare ;)



  • On the pfsense web interface, I go to Diagnostics -> Ping, I select the WAN interface as source address and I get the same output :

    PING 192.168.1.2 (192.168.1.2) from 192.168.100.240: 56 data bytes
    36 bytes from 192.168.100.250: Redirect Host(New addr: 192.168.100.240)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  28 0054 2c45  0 0000  40  01 66f9 192.168.100.240  192.168.1.2

    Which makes me think that's not just a routing problem.

    By asymmetrical, you mean that the DMZ will answer to the VPN sites by taking another path ? That is not possible because the DNS they are using makes the DMZ unreachable via internet.


  • Rebel Alliance Global Moderator

    What I mean by asymmetrical is your lan devices, unless they have host routing to point to the ipfire to get to the dmz are going to be hairpin and then asymmetrical return.. 1st pic.

    Now on your vpn devices getting to your dmz.. What is the routes on the ipfire for 192.168.x that is in your vpn/mpls cloud??  2nd pic.






  • Hello,

    Thanks, I have totally forgotten to add a route on ipfire, I can be dumb sometimes…


  • Rebel Alliance Global Moderator

    So your hosts have routes into the dmz on them?  If not its an asymmetrical condition.



  • Yes, you're right it's asymetrical.
    It's working now but we'll upgrade the pfsense with some NICs later…

    Thanks again.