VLANs and asymmetric routing: suggestions?
fluca1978 last edited by
my network have a quite strange setup that I'll fix one day (hope soon but not today). My pfsense box has an interface running three VLANs, that are working, but the pfsense machine is not the only router of the network: there is also a Zyxel Zywall 5 that is working as VPN gateway to my factory partners. The zywall can be seen on each VLAN (i.e., it is multi-homed) and must be used as a gateway for certain subnets. The problem is that I cannot set up static routing from each VLAN to the destination network since pfsense allows me to specify only one entry in the routing table. Please note that the zywall will do asymmetric routing, since clients will go out using the pfsense machine as gateway and the traffic will come back thru the zywall.
The network is the following:
pfsense --> (WAN) internet --> (rl0) ----> | network1 | <---> zywall | network2 | <---> zywall | network3 | <---> zywall --> (nfe0) not used now
I hope to exclude one day the zywall so that the pfsense will be the only gateway for both internet and vpn traffic, but until that day I need to keep the zywall working.
So possible solutions I thought about are:
- define the zywall as gateway for each VLAN interface and add rules into the firewall to forward traffic to the internet via the WAN interface;
- attach the zywall to the third pfsense interface (nfe0) and define a network class for them in order to use such network as routing network to reach the zywall (but I don't know if the zywall will work fine with natted traffice thru the VPN);
- enable RIP on both the zywall and the pfsense machine to see if clients can get the routing table for all networks.
What is the best solution? I prefer the 2, but I'd like to get some opinions about this situation and, if someone has already done, if I can eliminate now the zywall using the pfsense machine to get connected to other zywall vpn concentrators so to remove the problem.