4. Routing to another subnet off WAN interface

Routing to another subnet off WAN interface

  • G

    Below is (hopefully) a simplified diagram of the network layout I’m working with:

    7e9b74c3-db31-4c04-8207-9d15dd5f4777-image.png

    Servers A & B are in their own subnets, each with a pfSense instance providing NAT, with a default upstream gateway (WANGW) providing onward access to the Internet. This is working fine, and each server has in/outbound access to the Internet.

    What I’m trying to do, is allow Server A to access Server B using its internal address 192.168.20.19. To do this, I’ve done the following:

    1. On PF1, added a gateway (GW_PF2) pointing to PF2’s WAN interface (8.8.8.3)
    2. On PF1, added a floating rule:
      a. Action: pass
      b. Quick
      c. Interface: WAN
      d. Dir: Out
      e. Protocol: Any
      f. Source: Any
      g. Dest: 192.168.20.0/24
      h. Gateway: GW_PF2
    3. Changed Outbound NAT on PF1 to Hybrid Outbound NAT, and added a manual rule:
      a. Do not NAT: ticked
      b. Interface: WAN
      c. Source: 192.168.10.0/24
      d. Dest: 192.168.20.0/24
    4. Repeated steps 1, 2 & 3 on PF2

    This is almost working, if server A pings server B I can see the packets arrive. However, it seems that when PF2 receives Server B’s reply, it’s trying to forward the packet to PF2’s default gateway (8.8.8.1) rather than PF1.

    Am I missing a step? (I wondered if the reply-to state might be causing an issue?) Or is there a simpler way to achieve what I’m trying to do?

    Many thanks,

    0

  • Unless you are Google it is a very bad idea to use their IP space for your own use as a private LAN. You should not be using any public space IPs as a LAN.

    Things like VOIP can break easily.

    Set up a VPN instance between the two firewalls

    or connect the two firewalls via a third interface on each of them on a subnet such as 172.16.20.0/30. Then you can run something like RIP on them.

    0
  • LAYER 8 Netgate

    See this thread:
    https://forum.netgate.com/post/864715

    1
    G
     1 Reply

  • Why not configure IKEv2 site-to-site IPsec? It easy 5 minute job Karl!

    0
    G
     1 Reply
  • G

    @Derelict said in Routing to another subnet off WAN interface:

    See this thread:
    https://forum.netgate.com/post/864715

    Thanks - in particular this post https://forum.netgate.com/post/864578 made it all make sense.

    I sorted this out by removing the upstream gateway on the WAN interface itself, and relying on the default gateway in System->Routing. I then added a static route and gateway for the other subnet.

    I was then able to remove the floating rule so it all feels much cleaner now.

    I did go down a similar path during my testing, but don't think I realised that by removing the gateway on the WAN interface I needed to re-add the outbound NAT entries that would usually be created by the automatic rule generation for accessing the wider Internet.

    0
  • G

    @dragoangel said in Routing to another subnet off WAN interface:

    Why not configure IKEv2 site-to-site IPsec? It easy 5 minute job Karl!

    As the traffic is still on our network we didn't need the encryption/overhead of the VPN (traffic could be ~500 Mb/s). I did consider just a tunnel if I couldn't get the routing to work but have now got it sorted as above.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy