Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about bridge and static routes

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      init0
      last edited by

      Hi all,

      First of all: I am new to this forum (so I hope I picked the right category), relatively new to pfSense but not new to firewalling and networking.
      I discovered pfSense a couple of months ago and I think it's a really great firewall. I already deployed 23 installations (more to come) and am also planning to migrate all of my current firewalls (about 150 installations) to pfSense as well.
      Of course I bought The Definitive Guide and already used it a lot, but here's a problem I couldn't solve so far. So I hope one of you might take a look and is able to help me to get on the right track.

      I'm not a good maker of network diagrams, so it's really ugly. But I made a diagram which helps to explain and visualize what I am trying to do. The diagram is attached to this post.

      I have a server environment with several shared and dedicated (virtual) servers and naturally I need to be able to give access to these servers for several customers. In fact there are two types of customers: type A will connect through VPN and type B has a direct link.
      The VPN customers make their VPN connection to a firewall (B) at my site using (mostly) IPSec. On the LAN side (OPT interfaces) of that firewall there's a tagged VLAN trunk, trunking all customer's subnets into a single link. All VLANs naturally use a different range.
      This trunk goes to a switch where also the direct links from customer type B arrive. This switch trunks all arriving VLANs into a single link to a second firewall's (C) OPT interfaces.
      These OPT interfaces are bridged to the LAN link (actually it's also a trunk into a single VLAN, but that shouldn't matter). This is because each VM can handle up to a maximum of 6 (VLAN) interfaces and a few are already used for SAN and Management.

      So summarizing, firewall B is needed for the VPN tunnels and firewall C is needed to a) concentrate all links into a single VLAN and b) separate what traffic may go into which direction.

      This works like a charm with a little - but important - but. I need to give an IP address in the customer's VLAN on the corresponding OPT interface of firewall C. Only then I can add a static route to the customer's LAN using the OPT interface of firewall B as gateway. The servers use BTW IP addresses in the corresponding customer's VLANs.
      So I configure an IP, save, then I configure the OPT interface as bridge to LAN, save again and everything works like a charm. Everything means I can connect from the server(s) to the customers and vice versa.
      As soon as the firewall reboots this IP is however lost; I guess because the interface is in bridging mode. But then of course the static route doesn't get added because the gateway is not in a known subnet.
      I tried adding virtual IP's to either the OPT and the LAN interface, but none will work (the IP's simply don't get configured).

      What I want to configure should be possible, otherwise it wouldn't work before the reboot. So is there a way to make the setting permanent? I sleep a lot better knowing that everything comes up again after a power loss that lasts longer than half an hour…
      Or am I doing something stupid and is there a way better way to solve this? Maybe this even has to to with bug #272?

      Thanks in advance for taking the time to look at my problem.
      If I wrote too confusing or you need any more information, please let me know!

      Greetings,
      Jens
      ![pfSense Config.png](/public/imported_attachments/1/pfSense Config.png)
      ![pfSense Config.png_thumb](/public/imported_attachments/1/pfSense Config.png_thumb)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.