Question about bridge and static routes
-
Hi all,
First of all: I am new to this forum (so I hope I picked the right category), relatively new to pfSense but not new to firewalling and networking.
I discovered pfSense a couple of months ago and I think it's a really great firewall. I already deployed 23 installations (more to come) and am also planning to migrate all of my current firewalls (about 150 installations) to pfSense as well.
Of course I bought The Definitive Guide and already used it a lot, but here's a problem I couldn't solve so far. So I hope one of you might take a look and is able to help me to get on the right track.I'm not a good maker of network diagrams, so it's really ugly. But I made a diagram which helps to explain and visualize what I am trying to do. The diagram is attached to this post.
I have a server environment with several shared and dedicated (virtual) servers and naturally I need to be able to give access to these servers for several customers. In fact there are two types of customers: type A will connect through VPN and type B has a direct link.
The VPN customers make their VPN connection to a firewall (B) at my site using (mostly) IPSec. On the LAN side (OPT interfaces) of that firewall there's a tagged VLAN trunk, trunking all customer's subnets into a single link. All VLANs naturally use a different range.
This trunk goes to a switch where also the direct links from customer type B arrive. This switch trunks all arriving VLANs into a single link to a second firewall's (C) OPT interfaces.
These OPT interfaces are bridged to the LAN link (actually it's also a trunk into a single VLAN, but that shouldn't matter). This is because each VM can handle up to a maximum of 6 (VLAN) interfaces and a few are already used for SAN and Management.So summarizing, firewall B is needed for the VPN tunnels and firewall C is needed to a) concentrate all links into a single VLAN and b) separate what traffic may go into which direction.
This works like a charm with a little - but important - but. I need to give an IP address in the customer's VLAN on the corresponding OPT interface of firewall C. Only then I can add a static route to the customer's LAN using the OPT interface of firewall B as gateway. The servers use BTW IP addresses in the corresponding customer's VLANs.
So I configure an IP, save, then I configure the OPT interface as bridge to LAN, save again and everything works like a charm. Everything means I can connect from the server(s) to the customers and vice versa.
As soon as the firewall reboots this IP is however lost; I guess because the interface is in bridging mode. But then of course the static route doesn't get added because the gateway is not in a known subnet.
I tried adding virtual IP's to either the OPT and the LAN interface, but none will work (the IP's simply don't get configured).What I want to configure should be possible, otherwise it wouldn't work before the reboot. So is there a way to make the setting permanent? I sleep a lot better knowing that everything comes up again after a power loss that lasts longer than half an hour…
Or am I doing something stupid and is there a way better way to solve this? Maybe this even has to to with bug #272?Thanks in advance for taking the time to look at my problem.
If I wrote too confusing or you need any more information, please let me know!Greetings,
Jens
