Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLANs and asymmetric routing: suggestions?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    1 Posts 1 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fluca1978
      last edited by

      Hi all,
      my network have a quite strange setup that I'll fix one day (hope soon but not today). My pfsense box has an interface running three VLANs, that are working, but the pfsense machine is not the only router of the network: there is also a Zyxel Zywall 5 that is working as VPN gateway to my factory partners. The zywall can be seen on each VLAN (i.e., it is multi-homed) and must be used as a gateway for certain subnets. The problem is that I cannot set up static routing from each VLAN to the destination network since pfsense allows me to specify only one entry in the routing table. Please note that the zywall will do asymmetric routing, since clients will go out using the pfsense machine as gateway and the traffic will come back thru the zywall.
      The network is the following:

      
         pfsense --> (WAN) internet
                       --> (rl0) ---->  | network1 | <---> zywall
                                              | network2 | <---> zywall
                                              | network3 | <---> zywall
                      --> (nfe0) not used now
      
      

      I hope to exclude one day the zywall so that the pfsense will be the only gateway for both internet and vpn traffic, but until that day I need to keep the zywall working.
      So possible solutions I thought about are:

      1. define the zywall as gateway for each VLAN interface and add rules into the firewall to forward traffic to the internet via the WAN interface;
      2. attach the zywall to the third pfsense interface (nfe0) and define a network class for them in order to use such network as routing network to reach the zywall (but I don't know if the zywall will work fine with natted traffice thru the VPN);
      3. enable RIP on both the zywall and the pfsense machine to see if clients can get the routing table for all networks.

      What is the best solution? I prefer the 2, but I'd like to get some opinions about this situation and, if someone has already done, if I can eliminate now the zywall using the pfsense machine to get connected to other zywall vpn concentrators so to remove the problem.

      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.