• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static Routing same dest. diff. interface

Scheduled Pinned Locked Moved Routing and Multi WAN
10 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gaxy
    last edited by Oct 30, 2008, 1:06 PM

    Hi all

    I have the following situation:

    WAN
                        | |
                        |  |
                    |        |
                  |              |
          pfsense1        pfsense2  –--------------
    (193.x.x.1 WAN)      (193.x.x.2 WAN)        |
    (192.168.1.1 LAN)    (192.168.1.2 LAN)     |
    (172.16.0.1 DMZ)      (172.16.0.2 DMZ)        |
                      |  |          | |                            |
                      |  |        |  |                            |
                      |    |    |    |                            |
                      |    LAN    |                            |
                      |            |                                |
                        |        |                                  |
                          |    |                                    |
                          DMZ                                    |
                                                (172.16.3.0 DMZ2)
                                                DMZ2

    on the pfsense1 i try to made 2 static routes
    one :
    IF: LAN DestNet: 172.16.3.0 GW 192.168.1.2
    and
    IF: DMZ DestNet: 172.16.3.0 GW 172.16.0.2

    but it is not posible to made the second static roule... i see a message that i have the same dest net allready def.
    i know that but its on a different interface.
    is tis a bug or how can i handel this situation?

    i have to access the DMZ2 from the DMZ and from the LAN

    Thanks GaXy

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Oct 31, 2008, 5:58 AM

      This is how routing works.
      As long as you are using static routes you cannot have the same destination over two routes with the same metric.

      What are you trying to accomplish?
      Failover in case one of the networks goes down?

      You can do this with a failover-pool and the proper firewall rule.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • G
        gaxy
        last edited by Oct 31, 2008, 7:34 AM

        thanks for the answer

        no i dont try a failover.. i knwo about the loadbalancer thing.
        as you can see i have 2 pfsense. for all workstations in the LAN and also for all
        Servers in the DMZ the pfsense1 is the default gateway.

        It have to be posible to access the DMZ2 network from LAN and also from DMZ.
        this is why i would like to made 2 entrys for the static routing.
        i mean i can do this be entry the static route on any Workstation by hand and the route for the DMZ via the Firewall
        but it is nicer when i can do this over the Firewall.

        if this is not working like i think, what sense make the switch for the networkinterface in the static routing page?

        maybe you can give me a hint to handel this in a other way?

        thx GaXy

        1 Reply Last reply Reply Quote 0
        • J
          jahonix
          last edited by Oct 31, 2008, 9:05 AM

          @gaxy:

          no i dont try a failover.. i knwo about the loadbalancer thing.
          as you can see i have 2 pfsense. for all workstations in the LAN and also for all
          Servers in the DMZ the pfsense1 is the default gateway.

          And what exactly are you using the pfSense #2 for - except for the DMZ2?

          Wouldn't a setup with only one machine be less complicated and error prone?

          1 Reply Last reply Reply Quote 0
          • G
            gaxy
            last edited by Oct 31, 2008, 9:20 AM

            yes i ame also think so but this is still not posible :-)

            there are more things on the pfsense2 (not only DMZ2) but this is not important for this problem.
            the pfsense2 is for a housing network whitch have a lot of VLAN's, VPN's… ect...

            Greetings GaXy

            1 Reply Last reply Reply Quote 0
            • J
              jahonix
              last edited by Oct 31, 2008, 1:09 PM

              Sorry, but if those 2 pfSenses are neither load balancing nor backing each other up then the layout is … sub-optimally.

              What happens if you switch off #1 and let #2 handle all the networks on its own?

              1 Reply Last reply Reply Quote 0
              • G
                gaxy
                last edited by Oct 31, 2008, 1:19 PM

                as i say, its still not possible.

                pfsense1 hase a lot of servers in the dmz, its the main firewall for the lan and for the hosting (DMZ) network

                pfsense2 is the main firewall of the HOUSING network, normaly the are 2 different networks.
                but now the devlopert would like to have access from the lan to the HOUSING network. (no problem via static routes)
                also there some Servers (Statistic….) in the DMZ who nead access to the Housing via scp... (problem because i cannot made same dest network on diff. interfaces)

                Saludos GaXy

                1 Reply Last reply Reply Quote 0
                • J
                  jahonix
                  last edited by Oct 31, 2008, 6:16 PM

                  The design is shaddy.

                  Why don't you stop bridging LAN and DMZ interfaces and create an IPsec or OpenVPN tunnel between the two WANs (depending on features needed, I tend you will use IPsec since you can already filter on that interface.). Define rules as needed. Should work pretty straight forward. Remember: KISS - keep it stupid simple!

                  One thing might be that you have to change subnets on one of the boxes to allow routing between them.
                  GruensFroeschli, are you listening? Do you comply?

                  1 Reply Last reply Reply Quote 0
                  • G
                    GruensFroeschli
                    last edited by Nov 2, 2008, 8:04 PM

                    I dont see where the problem is:

                    This original question was: how do i add two static routes for the same destination.

                    If you dont need failover a single static route for DMZ2 on pfSense1 is enough.
                    As far as i can tell you dont care how traffic to the DMZ2 gets, as long as it gets there.
                    –> You can route it to the pfSense2 IP in the DMZ or in the LAN subnet.

                    If you dont understand why a single route is enough you should read up on how routing and static routes work.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • G
                      gaxy
                      last edited by Nov 6, 2008, 8:20 AM

                      Ok i will have a look at this, maybe i can change anything to one firewall….

                      can someone tel me for what the interface swicht in the routing settings are?

                      If you dont understand why a single route is enough you should read up on how routing and static routes work.

                      until now i would say i know how routing works.. but maybe i have to improve my knowlage thx.

                      1 Reply Last reply Reply Quote 0
                      1 out of 10
                      • First post
                        1/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received