Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing to another subnet off WAN interface

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 4 Posters 599 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gul
      last edited by

      Below is (hopefully) a simplified diagram of the network layout I’m working with:

      7e9b74c3-db31-4c04-8207-9d15dd5f4777-image.png

      Servers A & B are in their own subnets, each with a pfSense instance providing NAT, with a default upstream gateway (WANGW) providing onward access to the Internet. This is working fine, and each server has in/outbound access to the Internet.

      What I’m trying to do, is allow Server A to access Server B using its internal address 192.168.20.19. To do this, I’ve done the following:

      1. On PF1, added a gateway (GW_PF2) pointing to PF2’s WAN interface (8.8.8.3)
      2. On PF1, added a floating rule:
        a. Action: pass
        b. Quick
        c. Interface: WAN
        d. Dir: Out
        e. Protocol: Any
        f. Source: Any
        g. Dest: 192.168.20.0/24
        h. Gateway: GW_PF2
      3. Changed Outbound NAT on PF1 to Hybrid Outbound NAT, and added a manual rule:
        a. Do not NAT: ticked
        b. Interface: WAN
        c. Source: 192.168.10.0/24
        d. Dest: 192.168.20.0/24
      4. Repeated steps 1, 2 & 3 on PF2

      This is almost working, if server A pings server B I can see the packets arrive. However, it seems that when PF2 receives Server B’s reply, it’s trying to forward the packet to PF2’s default gateway (8.8.8.1) rather than PF1.

      Am I missing a step? (I wondered if the reply-to state might be causing an issue?) Or is there a simpler way to achieve what I’m trying to do?

      Many thanks,

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Unless you are Google it is a very bad idea to use their IP space for your own use as a private LAN. You should not be using any public space IPs as a LAN.

        Things like VOIP can break easily.

        Set up a VPN instance between the two firewalls

        or connect the two firewalls via a third interface on each of them on a subnet such as 172.16.20.0/30. Then you can run something like RIP on them.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          See this thread:
          https://forum.netgate.com/post/864715

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          G 1 Reply Last reply Reply Quote 1
          • dragoangelD
            dragoangel
            last edited by

            Why not configure IKEv2 site-to-site IPsec? It easy 5 minute job Karl!

            Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
            Unifi AP-AC-LR with EAP RADIUS, US-24

            G 1 Reply Last reply Reply Quote 0
            • G
              Gul @Derelict
              last edited by

              @Derelict said in Routing to another subnet off WAN interface:

              See this thread:
              https://forum.netgate.com/post/864715

              Thanks - in particular this post https://forum.netgate.com/post/864578 made it all make sense.

              I sorted this out by removing the upstream gateway on the WAN interface itself, and relying on the default gateway in System->Routing. I then added a static route and gateway for the other subnet.

              I was then able to remove the floating rule so it all feels much cleaner now.

              I did go down a similar path during my testing, but don't think I realised that by removing the gateway on the WAN interface I needed to re-add the outbound NAT entries that would usually be created by the automatic rule generation for accessing the wider Internet.

              1 Reply Last reply Reply Quote 0
              • G
                Gul @dragoangel
                last edited by

                @dragoangel said in Routing to another subnet off WAN interface:

                Why not configure IKEv2 site-to-site IPsec? It easy 5 minute job Karl!

                As the traffic is still on our network we didn't need the encryption/overhead of the VPN (traffic could be ~500 Mb/s). I did consider just a tunnel if I couldn't get the routing to work but have now got it sorted as above.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.