Server with multiple gateways
-
I have the following configurations:
WAN1–-pfsense---LAN1---Server1(Nic1)WAN2---pix---Lan1---Server1(Nic2)
The default gateway of Server1 is set to pix Lan1 ip address.
How can I route the traffic that was initiated from Wan1 through pfsense firewall to server1 back through the pfsense instead of having it go out of pix. I did some packet captures and the problem seems to be that the source IP is what is being seen by the server and not the pfsense Lan1 ip address so it wants to use the default gateway to send the traffic out rather than routing it back to pfsense.
Thanks in advance
-
That's handled by the operating system on Server1. How you do that will depend on the operating system.
-
the server is a windows 2003. However I am not quite sure how this is operating system dependent. The server sees the traffic source address as the public ip address of the requesting machine (somewhere on the Internet). It then determines that the IP is outside of its network and so it send it to the default gateway which is the Lan1 of the pix rather than Lan1 of the pfsense. If there was a way masquerade the external ip on the pfsense to make the source appear as if it is coming from the IP of pfsense Lan1 then the issue can be resolved.
-
Well, the OS is the only thing that knows what interface it came in on, so whether it came in through pfSense or the Pix. Even solving it that way will be non-trivial - it wold be easier if you didn't have 2 default gateways on the same LAN managed by different devices - any reason why you can't do something like:
WAN2 –- PIX --- pfSense --- LAN1
WAN1 ------------Then you can at least let pfSense handle the routing issues.
-
The reason I can not do that is because I have two internet lines that I am trying to do some load balancing on. So I like to have certain people use that for access and the rest come through the regular Pix Internet connection. However I think the solution should be in the form of having the firewall overwrite the source IP address to be the LAN IP of the pfsense. Then the server will respond to it and pfsense can then just send it to whomever had initiated the request. In a proxy mode that is usually what happens, I am not sure how pfsense can do that. Also I should note that I am not using http traffic.
-
Then, without any doubt your solution is to do as I suggested and let pfSense handle the routing.
-
Yes, put both WANs on the pfSense box and pfSense will handle the return traffic properly (thanks to reply-to) and send it back out the WAN it came in.
-
Thank you I was hoping I did not have to do that but I will implement as you all suggested.
