1. Home
  2. pfSense® Software
  3. Routing and Multi WAN
  4. Routing between DMZ and GW both using a subnetted range

Routing between DMZ and GW both using a subnetted range

  • A

    Hi all, We have a new installation of a pair of pfSense boxes running CARP to replace a single Cisco ASA.
    We have LAN/DMZ/GW interfaces, the LAN is 192.168.x.x/24 with NAT translation working ok to GW interface and out to internet all ok, however we have one /27 Network assigned 213.122.xxx.xxx by ISP and we have sub-netted this down to two /28's one half of this network is used on the GW interface and on the upstream providers managed router and for other LAN endpoints that can use NAT. We have on the DMZ the second /28 and some hosts (PBX) off a separate switch with public IP within that same /28 however we cant seem to get the DMZ /28 to route traffic out of the GW /28? We have checked all the masks are correct and no overlapping. There is only one default route on the pfsense pointing out of GW.

    i hope i have explained this well enough!

    0
  • JeGr
    LAYER 8 Moderator

    @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

    There is only one default route on the pfsense pointing out of GW.

    Did you tell your Upstream/ISP, that you are segmenting the /27 into two /28 subnets? Does he route the second half to your pfSense IP in the first half? If not you'll encounter a routing error. If you have that /27 routed to you via a transfer network, that is another case, but as that wasn't mentioned I suppose you have your GW in the same /27 network that your pfSense is (the first /28 now)?

    1
  • A

    Hi Thanks for the help. We have one 213.122.167.xxx/27 assigned by BT and this is all routed to our GW interface. We have then split this into 2x /28's

    0
  • JeGr
    LAYER 8 Moderator

    @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

    this is all routed to our GW interface

    So it is routed via a transfer network, something different that the IPs in the /27?

    If that's the case:

    • How have you configured WAN & DMZ interfaces of pfSense
    • What's the GW setting on the DMZ Host
    • What's your GW on the WAN side
    • Are there rules in Outbound NAT?
    1 A 1 Reply
  • A

    @JeGr said in Routing between DMZ and GW both using a subnetted range:

    What's the GW setting on the DMZ Host

    Hi, I will try and answer your questions bwlow-

    • How have you configured WAN & DMZ interfaces of pfSense
      The WAN interface has xxx.xxx.34 and the ISP router has xxx.xxx.xxx.33 all in 255.255.255.224 (/27) bit boundary is .32 Network, however I am unsure if the mask on the ISP side is 255.255.255.255 but the mask on our GW interface is 255.255.255.240 (/27)
      We are also unsure how the ISP is routing the /27 network to us and could either be next hop or out of ETH0 as its cisco

    • What's the GW setting on the DMZ Host
      The GW setting on the DMZ host xxx.xxx.xxx.52 /28 is the DMZ CARP address xxx.xxx.xxx.49 /28

    • What's your GW on the WAN side
      WAN GW is the ISP Interface xxx.xxx.xxx.33 (not sure is this is host 255 or /27 224)

    • Are there rules in Outbound NAT?
      Yes, to block IP originating from DMZ to WAN

    0
  • JeGr
    LAYER 8 Moderator

    @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

    The WAN interface has xxx.xxx.34 and the ISP router has xxx.xxx.xxx.33 all in 255.255.255.224 (/27) bit boundary is .32 Network, however I am unsure if the mask on the ISP side is 255.255.255.255 but the mask on our GW interface is 255.255.255.240 (/27)

    That's what I asked above! If your ISP has your Gateway in the same network (/27) as your IP range, then it's not routed to you (via transfer net). They have to change their netmask in the gateway device from /27 to /28 and route the other half of that /28 to your .34 WAN IP. Without them changing their netmask - and no I don't think they have anything configured with /32 (why should they?) - your configuration won't work, as the traffic won't hit your pfSense WAN interface on the way in.

    0 A 1 Reply
  • A

    @JeGr

    Understood, would as an alternative to sub-netting the /27 down, we use bridging on the DMZ interface using the same /27 subnet?

    0 JeGr 1 Reply
  • JeGr
    LAYER 8 Moderator

    @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

    , we use bridging on the DMZ interface using the same /27 subnet?

    Nope, if it can be avoided, don't bridge. Just tell them to split the /27 in 2x/28 and route the second half to the IP you communicate (.34)

    0
  • johnpoz
    LAYER 8 Global Moderator

    Yeah you need them to route the network to you via just directly attaching you via the bigger network.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy