Need help with static routing please

authenticx · Mar 4, 2024, 11:52 PM

I have a DR environment that I replicate production to. The subnet in DR is the same as production thus I have it isolated in a VLAN. I need the isolated servers to be able to communicate with one domain controller outside hte VLAN and teh static route I am trying to use is not directing hte traffic. I tried a flaoting fw rule as well but I know there must be something I am missing.

Basically all teh DR servers communicate through a PFSense Virtual appliance that has an interface for the isolated newtork and an interface on the network for the virtual environment in that site. There are mapped physical connections from the ESXI hosts to ports on a switch that are teh VLAN for this network. On hte other side is an AS400 with an IP of the DR subnet. Traffic from the servers to teh AS400 through the VLAN is fine but I need the servers to be able to hit a domain controller in the vm environment.

So the WAN interface of the PFSense virtual appliance is on the "production netowrk" in this site. The DR interface is for the DR subnet in the VLAN. All untagged. The trafficis isolated and the servers brought up for DR can communicate with eachother and accross to the AS400 while not being able to get out to any other network i the company. This is good except I am trying to specify traffic from the DR network destined for one doain controller IP 10.100.70.46 to use the WAN gateway but that is not working. I tried also to check the Bypass firewall rules for traffic on the same interface as well as use a floating fw rule like I mentioned before but I can't seem to find the right piece of the puzzle.

The catch is, in order to keep the DR network traffic isolated, I have to have an upstream gateway assigned to the DR NET interface of 10.100.50.1 otherwise the default routing allows the DR traffic to escape.

I wish I could paste a screenshot of how this looks for betetr illustration but it is not allowing me to do so. If anyone that reads this has an idea of what I may be missing, any advice is appreciated.

Or to simplify, if I can block all traffic from the DR Net to anything except teh domain controller IP using firewall rules that would suffice too but I have layed with that and even rules that I think should work or if I use an inverted pass rule it either doesn't work or cuts off my access to teh web interface and I have to use pfctl -d from command line to get back in.

SteveITS · Mar 5, 2024, 12:29 AM

@authenticx You may need upvotes to post…here’s one.

If the subnets are different and pfSense controls all of them then it should be easy, and dependent only on firewall rules.

An IP in “my” subnet isn’t going to go to my gateway without a static route on that client device. And even then the router would probably think the IP should stay on that interface.

I would just use rules, something like this on DR interface:
Allow from DR Net to This Firewall port 53 tcp/udp
[reject from DR net to 22/80/443]*
Allow from (Server2) to (DC IP)
Reject from (server2) to any
adjust as desired

*redundant in you case because no allow all

heper · Mar 5, 2024, 8:31 AM

@authenticx said in Need help with static routing please:

The subnet in DR is the same as production thus I have it isolated in a VLAN.

if both subnet's are the same, then you can not route between them.