Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Question about bridge and static routes

    Routing and Multi WAN
    1
    1
    1658
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      init0 last edited by

      Hi all,

      First of all: I am new to this forum (so I hope I picked the right category), relatively new to pfSense but not new to firewalling and networking.
      I discovered pfSense a couple of months ago and I think it's a really great firewall. I already deployed 23 installations (more to come) and am also planning to migrate all of my current firewalls (about 150 installations) to pfSense as well.
      Of course I bought The Definitive Guide and already used it a lot, but here's a problem I couldn't solve so far. So I hope one of you might take a look and is able to help me to get on the right track.

      I'm not a good maker of network diagrams, so it's really ugly. But I made a diagram which helps to explain and visualize what I am trying to do. The diagram is attached to this post.

      I have a server environment with several shared and dedicated (virtual) servers and naturally I need to be able to give access to these servers for several customers. In fact there are two types of customers: type A will connect through VPN and type B has a direct link.
      The VPN customers make their VPN connection to a firewall (B) at my site using (mostly) IPSec. On the LAN side (OPT interfaces) of that firewall there's a tagged VLAN trunk, trunking all customer's subnets into a single link. All VLANs naturally use a different range.
      This trunk goes to a switch where also the direct links from customer type B arrive. This switch trunks all arriving VLANs into a single link to a second firewall's (C) OPT interfaces.
      These OPT interfaces are bridged to the LAN link (actually it's also a trunk into a single VLAN, but that shouldn't matter). This is because each VM can handle up to a maximum of 6 (VLAN) interfaces and a few are already used for SAN and Management.

      So summarizing, firewall B is needed for the VPN tunnels and firewall C is needed to a) concentrate all links into a single VLAN and b) separate what traffic may go into which direction.

      This works like a charm with a little - but important - but. I need to give an IP address in the customer's VLAN on the corresponding OPT interface of firewall C. Only then I can add a static route to the customer's LAN using the OPT interface of firewall B as gateway. The servers use BTW IP addresses in the corresponding customer's VLANs.
      So I configure an IP, save, then I configure the OPT interface as bridge to LAN, save again and everything works like a charm. Everything means I can connect from the server(s) to the customers and vice versa.
      As soon as the firewall reboots this IP is however lost; I guess because the interface is in bridging mode. But then of course the static route doesn't get added because the gateway is not in a known subnet.
      I tried adding virtual IP's to either the OPT and the LAN interface, but none will work (the IP's simply don't get configured).

      What I want to configure should be possible, otherwise it wouldn't work before the reboot. So is there a way to make the setting permanent? I sleep a lot better knowing that everything comes up again after a power loss that lasts longer than half an hour…
      Or am I doing something stupid and is there a way better way to solve this? Maybe this even has to to with bug #272?

      Thanks in advance for taking the time to look at my problem.
      If I wrote too confusing or you need any more information, please let me know!

      Greetings,
      Jens
      ![pfSense Config.png](/public/imported_attachments/1/pfSense Config.png)
      ![pfSense Config.png_thumb](/public/imported_attachments/1/pfSense Config.png_thumb)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy