Using two gateways on the same time (dmz, internet)



  • Hey guys,

    my network looks like this: ISP DSL Router + DHCP Server –> Home Net (192.168.2.x) --> PFSENSE (192.168.2.3, 192.168.3.1) --> DMZ (192.168.3.x)

    When I want to access my webserver in the dmz from the home net, I need to change the default gateway on my computer to 192.168.2.3(pfsense ip). If I do this, I cannot access the internet anymore, as the default gateway in the home net is my isp router 192.168.2.1

    Is there a way to have access to both, the dmz and the internet? It is really a pain to change the gateway every time I want to update the files on my webserver...

    Thanks in advance,

    Johnny


  • Rebel Alliance Global Moderator

    Your network is asymmetrical with your homenet being on the transit network.

    Fix your problem by putting homenet behind pfsense on its own vlan/network..

    So your saying pfsense is not natting?  If it was natting then you would access something on 192.168.3 by hitting pfsense 192.168.2.x address and port forwarding on pfsense to what you want to get to behind pfsense.

    If pfsense is not natting and your natting to public (internet) is happening at your isp dsl router, then for devices on a transit network to get to downstream network and not be asymmetrical you would have to put a route on your host(s) in the transit telling them to get to 192.168.3 talk to 192.168.2.3 (pfsense)..



  • I'm rather confused by the point of this setup but ignoring that I'd say the problem is that you need a firewall rule allowing traffic between 192.168.3.x network and 192.168.2.x network.



  • Thank you for your reply!

    @johnpoz:

    Fix your problem by putting homenet behind pfsense on its own vlan/network..

    This would work but for a couple of reasons I do not want to do that.

    @johnpoz:

    So your saying pfsense is not natting?  If it was natting then you would access something on 192.168.3 by hitting pfsense 192.168.2.x address and port forwarding on pfsense to what you want to get to behind pfsense.

    This sounds like a possible solution! I want to access the webserver via scp on port 22 via WinSCP. So I redirected this port with TCP protocol to my webserver. Unfortunately when I try to connect to the destination ip it times out…
    @johnpoz:

    If pfsense is not natting and your natting to public (internet) is happening at your isp dsl router, then for devices on a transit network to get to downstream network and not be asymmetrical you would have to put a route on your host(s) in the transit telling them to get to 192.168.3 talk to 192.168.2.3 (pfsense)..

    I will also try this solution as I am accessing the webserver only by a specific host
    @nycfly:

    I'm rather confused by the point of this setup but ignoring that I'd say the problem is that you need a firewall rule allowing traffic between 192.168.3.x network and 192.168.2.x network.

    My Home Network is allowed to access any other network already..Im using pfsense right now only to have a dmz and a different guest networks (did not mention them before as they are not relevant here)



  • In Windows

    route ADD 192.168.3.0 MASK 255.255.255.0 192.168.2.3
    

    did the job, thanks for you help! :D


  • Rebel Alliance Global Moderator

    "This would work but for a couple of reasons I do not want to do that."

    Like what??

    Adding a host route is still borked setup.. What your calling a DMZ is not really a dmz as you have it.. And DMZ is just a firewalled segment anyway..  Putting all your networks "behind" pfsense make for much easier to manage cleaner setup..



  • @johnpoz:

    "This would work but for a couple of reasons I do not want to do that."

    Like what??

    The ISP Router allows traffic prioritization für specific IPs. So my computer has to be in this network, otherwise the ISP Router would just see the PfSense IP which would then consume all the bandwidth all the time…This is the main reason.

    @johnpoz:

    Adding a host route is still borked setup.. What your calling a DMZ is not really a dmz as you have it.. And DMZ is just a firewalled segment anyway..  Putting all your networks "behind" pfsense make for much easier to manage cleaner setup..

    Basically the firewalled segment is even more secure than a real dmz as only certain ports are opened on my router and redirected via double nat to my webserver. Or am I missing something here?


  • Rebel Alliance Global Moderator

    "otherwise the ISP Router would just see the PfSense IP which would then consume all the bandwidth all the time…This is the main reason. "

    Doesn't have to be that way... You could create multiple VIPs on the transit network and use the different ones for different things.  So your "dmz" as your calling it could still be behind pfsense.  And so could your PC, and it would have different IP on the transit network then the IPs on your dmz..

    You have a asymmetrical setup - plain and simple no matter how you look at it is BORKED!

    also your double nat doesn't make it any more secure!!  If that was the case why don't you quadruple nat it be 4x as secure ;)

    If you want your IP to have higher priority why not just do it in pfsense and not even double nat.. Can you not just put your isp router in bridge mode?  So pfsense has a public IP on its wan?