Static route alternative? Multiple LANs

stevemitchell · Dec 12, 2009, 1:10 AM

Hello,

I am using pfsense within a corporate environment between one lab environment, and the rest of the corporate network. Currently, I have a pretty gross config to maintain:

WAN - the "outside" network outside of the lab itself, where the rest of the corporate stuff lives. Currently my default gateway.
LAN - the lab itself, with it's own huge router in it.
SYNC - sync for CARP
ADMIN - admin network specifically for managing the firewall

My problem right now is that there are routers on both sides of the WAN and LAN interfaces. This works great for the WAN interface since I simply have a default route pointing at it, and anything pfsense doesn't know about goes out to that router.

For the LAN interface, there's a router it's supposed to hand packets off to for everything inside the lab. pfsense is on it's own small little network where the firewall lives. The problem here is that I have to go in and add static routes for over a hundred networks all pointing to the same gateway (the lab router).

I've tried using larger subnet definitions, and those don't seem to work well either.

Could I simply do this?

WAN - leave it
LAN - use this for administration only
OPT1 - call it something unique, and give it a default gateway of the lab network router. Packets coming from the WAN destined for a network might go to OPT1 if the routing table doesn't have an entry - this is the part I doubt will work. Routing is pretty simple - it would do a lookup for the address, not see a route for it, and likely do an ICMP unreachable on the WAN side. Or would it send it out OPT1?

What about policy based routing? Would this work? Adding a policy route in the inbound rule on the WAN interface that points to the lab router?

For now, I have the many subnets configured, but it sure isn't maintainable as we grow…

cmb · Dec 13, 2009, 8:01 PM

Policy routing doesn't alleviate the need for static routes in such an environment. You should always make sure your subnets are CIDR summarizable so you don't have to enter 100 routes to the same router, only one or a few at most. Details on CIDR summarization in the book. http://pfsense.org/book

stevemitchell · Dec 13, 2009, 11:19 PM

That's what I figured. Thanks.

Yes, I inherited this mess from another person who is no longer with the company. We have gotten it down to a list of 10 or so routes of larger subnet masks, which should be better than 100 :)

stevemitchell · Dec 13, 2009, 11:20 PM

@cmb:

Details on CIDR summarization in the book. http://pfsense.org/book

Also, I bought the book last week and read the entire thing this weekend. Well done - and I did see the CIDR details in it as well.

Thanks!

cmb · Dec 14, 2009, 12:02 AM

@stevemitchell:

Yes, I inherited this mess from another person who is no longer with the company. We have gotten it down to a list of 10 or so routes of larger subnet masks, which should be better than 100 :)

Oh those are always fun. Well, at least you got it down to 10.

@stevemitchell:

Also, I bought the book last week and read the entire thing this weekend. Well done - and I did see the CIDR details in it as well.

Great, thanks!