PfSense - 1 Internet gateway + 1 MPLS - Static routes?

  • LAN–--pfSense ( ---gateway---internet
    pfsense #2 ( (172.x.x.x.)---customer

    This is my current configuration.  All of my internet traffic flows over and uses our internal DNS servers.  However, I recently added an MPLS circuit direct to one of our customers.  They have a bunch of networks (192.168.3.x, 192.168.4, 10.0.1.x, etc., etc.) that I'd like to be able to talk to.  Currently, I have a small group of users using the pfSense #2, and they simple issue a bunch of "route add customerIP mask customerMask" so that they can hit machines at the various customer networks.  This works for a small group, but has some problems... 1) they have to run a script to do the route adds, 2) DNS doesn't work on the customer side, and 3) it doesn't scale at all... too many users to make this work on-going.  Instead of users issuing the route adds, I'd like to just add an interface to the main pfSense box (e.g. opt1), and connect the gateway-MPLS directly to that.  And then issue static routes on the pfSense box to get users to the remote networks (like below) automatically.  It would be great if I could get DNS working (perhaps add a forwarder to my internal DNS server?).  The problem is, I don't know if this is a good solution, or if there is something better/different/more appropriate.  If you have any suggestions, I'd love to hear them.

    LAN---pfsense ( ---gateway --- internet
                |---------------------gateway MPLS (172.x.x.x.) --- customer

  • I see nothing wrong with it, it seems a very good solution, just remember to set the gateway on the IP configuration for your OPTx interface, and set rules, routes and such appropriately to allow (or dis-allow) access.

    The DNS issue however, may be because the DNS doesn't have a route back to your network to reply to the DNS queries.

    If that's the case, even your forwarder would have a problem.  You'll also have to be prepared with static routes or routing on the PFsense#1 to handle any DNS resolved destination IP you get in reply to your query…

Log in to reply