Static Routing same dest. diff. interface



  • Hi all

    I have the following situation:

    WAN
                        | |
                        |  |
                    |        |
                  |              |
          pfsense1        pfsense2  –--------------
    (193.x.x.1 WAN)      (193.x.x.2 WAN)        |
    (192.168.1.1 LAN)    (192.168.1.2 LAN)     |
    (172.16.0.1 DMZ)      (172.16.0.2 DMZ)        |
                      |  |          | |                            |
                      |  |        |  |                            |
                      |    |    |    |                            |
                      |    LAN    |                            |
                      |            |                                |
                        |        |                                  |
                          |    |                                    |
                          DMZ                                    |
                                                (172.16.3.0 DMZ2)
                                                DMZ2

    on the pfsense1 i try to made 2 static routes
    one :
    IF: LAN DestNet: 172.16.3.0 GW 192.168.1.2
    and
    IF: DMZ DestNet: 172.16.3.0 GW 172.16.0.2

    but it is not posible to made the second static roule... i see a message that i have the same dest net allready def.
    i know that but its on a different interface.
    is tis a bug or how can i handel this situation?

    i have to access the DMZ2 from the DMZ and from the LAN

    Thanks GaXy



  • This is how routing works.
    As long as you are using static routes you cannot have the same destination over two routes with the same metric.

    What are you trying to accomplish?
    Failover in case one of the networks goes down?

    You can do this with a failover-pool and the proper firewall rule.



  • thanks for the answer

    no i dont try a failover.. i knwo about the loadbalancer thing.
    as you can see i have 2 pfsense. for all workstations in the LAN and also for all
    Servers in the DMZ the pfsense1 is the default gateway.

    It have to be posible to access the DMZ2 network from LAN and also from DMZ.
    this is why i would like to made 2 entrys for the static routing.
    i mean i can do this be entry the static route on any Workstation by hand and the route for the DMZ via the Firewall
    but it is nicer when i can do this over the Firewall.

    if this is not working like i think, what sense make the switch for the networkinterface in the static routing page?

    maybe you can give me a hint to handel this in a other way?

    thx GaXy



  • @gaxy:

    no i dont try a failover.. i knwo about the loadbalancer thing.
    as you can see i have 2 pfsense. for all workstations in the LAN and also for all
    Servers in the DMZ the pfsense1 is the default gateway.

    And what exactly are you using the pfSense #2 for - except for the DMZ2?

    Wouldn't a setup with only one machine be less complicated and error prone?



  • yes i ame also think so but this is still not posible :-)

    there are more things on the pfsense2 (not only DMZ2) but this is not important for this problem.
    the pfsense2 is for a housing network whitch have a lot of VLAN's, VPN's… ect...

    Greetings GaXy



  • Sorry, but if those 2 pfSenses are neither load balancing nor backing each other up then the layout is … sub-optimally.

    What happens if you switch off #1 and let #2 handle all the networks on its own?



  • as i say, its still not possible.

    pfsense1 hase a lot of servers in the dmz, its the main firewall for the lan and for the hosting (DMZ) network

    pfsense2 is the main firewall of the HOUSING network, normaly the are 2 different networks.
    but now the devlopert would like to have access from the lan to the HOUSING network. (no problem via static routes)
    also there some Servers (Statistic….) in the DMZ who nead access to the Housing via scp... (problem because i cannot made same dest network on diff. interfaces)

    Saludos GaXy



  • The design is shaddy.

    Why don't you stop bridging LAN and DMZ interfaces and create an IPsec or OpenVPN tunnel between the two WANs (depending on features needed, I tend you will use IPsec since you can already filter on that interface.). Define rules as needed. Should work pretty straight forward. Remember: KISS - keep it stupid simple!

    One thing might be that you have to change subnets on one of the boxes to allow routing between them.
    GruensFroeschli, are you listening? Do you comply?



  • I dont see where the problem is:

    This original question was: how do i add two static routes for the same destination.

    If you dont need failover a single static route for DMZ2 on pfSense1 is enough.
    As far as i can tell you dont care how traffic to the DMZ2 gets, as long as it gets there.
    –> You can route it to the pfSense2 IP in the DMZ or in the LAN subnet.

    If you dont understand why a single route is enough you should read up on how routing and static routes work.



  • Ok i will have a look at this, maybe i can change anything to one firewall….

    can someone tel me for what the interface swicht in the routing settings are?

    If you dont understand why a single route is enough you should read up on how routing and static routes work.

    until now i would say i know how routing works.. but maybe i have to improve my knowlage thx.


Log in to reply