Can I pass 2+ gateways/routes through pfS for filtering while keeping them independent?
-
Say I want to use pfSense for filtering (or IDS, or DNSBL…) two default gatways for a downstream router. Devices should be addressable directly from anywhere within the network with their real address, or if translation is absolutely necessary, symmetric NAT is not allowed, therefore pfSense is allowed to NAT but all other devices aren't.
Some form of route selection should be available at the deepest router down the network — the one fed by pfSense — but additional to no NAT, there aren't any routing protocols in use. VRF is available on the intranet router but the end network is still the same and can't be masked so there's not conflict.
I made a little diagram to explain myself:
I ran into this problem while trying to do something silly, I think it was trying to be my own public DNS service, something really not practical in the days of Cloudflare and what not. Regardless, it's not the first time I've ran into it. An easy fix would be just cloning pfSense so it's actually two appliances.
For a little moment I thought I had it: traffic going down if coming from a routable address and via on of its gateways should sort itself out. Now I only needed to be able to have all the gateway available at the lowest router — virtual IPs in a single subnet connecting pfSense and downstream, policy route based on incoming address straight to the WAN, except from the downstream router it sees this as Equal-Cost MultiPath, I believe VRF deals with this but I'm not sure what needs to be the NAT situation there. pfSense (and every upstream it) still need to reach downstream via any of the links.
Can this be solved with the available tools in pfSense? (except for routing protocols)
It seems unlikely but every time I run into it I think I've found the solution only to realize I had tried that before. And that, and that. At least with a firm negative I can leave it for good. :) Oh well...thanks in adv for any advice.
