Static Route - Gateway - Firewall Rules - Question

PowerStrip · Jan 13, 2024, 1:35 PM

So I'm trying to set up a gateway and static route for a different network and not sure what firewall rules I need to setup or does pfsense set those automatically?

Current network is 192.168.50.X

2nd Gateway is the IP address of another switch which is 192.168.50.250

Static route I have setup is 172.30.0.0/16 and setup the gateway for it as 192.168.50.250

Is my Static Route setup correctly?

Do I need to create any firewall rules once I've applied the above configurations?

Below are screenshots of my settings and diagram

Thanks for your time and help!!

johnpoz · Jan 13, 2024, 1:51 PM

@PowerStrip that is going to end up with asymmetric traffic flow, seems you have devices on your transit/connector network.

If devices on your 192.168.50 network and your 172.30/16 network talk to each other you could run into problems.

Proper way to set that up is with a transit/connector network.

See in the diagram how there is a small network just used as transit.. the 172.26.1/29 network in the diagram

The other way to work around the problem is host routing on your devices in your 192.168.50 network pointing to 192.168.50.250 when they want to talk to 172.30/16

So they know to send traffic to 192.168.50.250 vs bouncing it off their gateway (pfsense)

edit: also notice note on drawing about firewall rules needed on your transit network interface. As long as your using automatic or hybrid outbound nat, when you create the route on pfsense to your downstream networks this network will be added to your outbound nat rules.

PowerStrip · Jan 13, 2024, 2:04 PM

@johnpoz Hi! i appreciate your quick response.

I'm noobish with network so please be easy on me =)

Transit/Connector Network

You mention in the diagram of the transit route of 172.26.1.1/29 which is 6 usable IPs
Why use a /29?
If my other network is 172.30.0.0/16 (similar to your diagram's 172.28.1.1/24) what would my transit network be and setup as? I guess i could use 172.26.1.1/29 but then how would that be setup in the environment? Would the 172.26.1.1/29 be setup in pfsense somewhere or that should be added to the destination switch where my 172.30.0.0/16 network lives on the otherside of the gateway i have as 192.168.50.250

edit: also notice note on drawing about firewall rules needed on your transit network interface. As long as your using automatic or hybrid outbound nat, when you create the route on pfsense to your downstream networks this network will be added to your outbound nat rules.

I thought so but appreciate the confirmation!

The other way to work around the problem is host routing on your devices in your 192.168.50 network pointing to 192.168.50.250 when they want to talk to 172.30/16

Are you talking about, for example, windows machine and updated the host file to add the static route? c:\Windows\System32\Drivers\etc\hosts

johnpoz · Jan 13, 2024, 2:26 PM

@PowerStrip said in Static Route - Gateway - Firewall Rules - Question:

Why use a /29?

you don't have to use a /29 you could use any size you want.. But since you only have 2 IPs on it, don't really need a /24.. But still allows for adding another router or 2 on the network.

A host file on windows is not a "route" you would add route via the route add command.

Use whatever network makes sense for you for your transit network.. It is an example drawing. Yes the whole point to a transit network is not overlapping with your current networks, no hosts on it.. You would add a network on your downstream router/switch - it would no longer have an interface in your 192.168.50 network.

PowerStrip · Jan 13, 2024, 4:24 PM

@johnpoz

I found the static route command you were mentioning and following this article:
https://www.howtogeek.com/22/adding-a-tcpip-route-to-the-windows-routing-table/

Transit Network

I plan to use 172.26.1.1/29 to keep things simple
I'm also confused as to where in pfsense i would put this transit route

For the destination switch that contains the 172.30.0.0/16 network:

The Corp Network is 192.168.50.0/24
Should the switch IP NOT be 192.168.50.250 as i have or should it be 172.26.1.X/29 and then add the Gateway of 172.26.1.1 in the pfsense Gateway Settings?

This is the vendor info i'm trying to follow for static route and gateway and not use the local route option as if the computer is powered down, the equipment will not work:
https://support.justaddpower.com/kb/article/246-static-route-configure-a-network-to-access-a-just-add-power-system/

johnpoz · Jan 13, 2024, 5:27 PM

@PowerStrip said in Static Route - Gateway - Firewall Rules - Question:

I plan to use 172.26.1.1/29 to keep things simple

that is not a network, that is a host address.. 172.26.1.0/29 would be a network .1 is an address on the network. If you meant to say that is the IP you going to use on pfsense.. Then ok. Then on your router/switch 172.26.1.2/29 would be its address

If you use a transit network, then you have no need to create a route on your machines on the 192.168.50 network.

PowerStrip · Jan 13, 2024, 9:10 PM

@johnpoz
I guess i'm confused about where to put the transit network 172.26.1.0/29 in pfsense with my LAN as it is and the Network 172.30.0.0/16 that exists.

What should the Gateway IP Address i would need to add in pfsense?

Would it be the 172.26.1.2?

What is the static route i need to add in pfsense?

Would I still put the static route of 172.30.0.0/16 with the Gateway of the previous entry above of 172.26.1.2?

johnpoz · Jan 13, 2024, 9:18 PM

@PowerStrip you need 2 IPs on the transit, pfsense IP and the switch (doing the routing) would need an IP.

This can be any actual physical network connection to a switch port, or a vlan.

Yes you would still need to create the route on pfsense.

How is it someone with what seems like zero understanding of routing wants to do routing on their switch for a HUGE freaking /16, which would seem to indicate a lot of downstream networks if using a /16 as the route..

PowerStrip · Jan 13, 2024, 10:19 PM

@johnpoz said in Static Route - Gateway - Firewall Rules - Question:

How is it someone with what seems like zero understanding of routing wants to do routing on their switch for a HUGE freaking /16, which would seem to indicate a lot of downstream networks if using a /16 as the route..

This is the configuration on the 172.30.0.0/16 that is required for the AV equipment (which i agree that the /16 is a ridiculous amount of IPs to have available)
https://support.justaddpower.com/kb/article/349-vlan-switching-protocol/

If devices on your 192.168.50 network and your 172.30/16 network talk to each other you could run into problems.

There is a controller on the 192.168.50.X network that does talk to a software that communicates to AV devices that are within the 172.30.0.0/16
There is communication but experiencing some packet loss when monitoring the Gateways which only the WAN and this 192.168.50.250 Gateway Exist