Routing two public IP subnets

  • We're running pfSense 1.2.3

    Our ISP is changing our public IP block from a /28 to a new /24, and they gave us until June to switch - during this time we'll have both classes in place.

    On the /28 class we have two old Cisco PIX 515E, and on the /24 we bought two new pfSense appliances which we're using via CARP.
    Here's a diagram

    [         Uplink Switch to ISP          ]
      | (WAN)                     | (WAN)
    [Cisco PIX]        [        PfSense 1      ] - (CARP) - [ PfSense 2 ]
      |                  | (OPT1)          | (LAN)
    [         DMZ Switch        ]       [ LAN Switch ]
    [Various servers]

    So, it works kind of like this:

    Cisco WAN: 100.x.y.56/29
    PfSense WAN: 110.x.y.56/29

    Cisco PIX Inside: 210.x.y.1/28
    pfSense OPT 1: 220.x.y.2/24 (other machine has .3 and they both share CARP IP .1)

    To ease migration to the new block, what I'd like to do is be able to configure the clients with two IPs, like this, for example:

    IP1: 220.x.y.50/24 (a new ip)
    IP2: 210.x.y.10/28 (the old ip)

    Gateway: 220.x.y.1 (the pfSense)

    I can get the routing to work fine on the 220. IP, but can't get pfSense to route the 210. subnet over to the Cisco.

    I tried adding a static route for 210.x.y.0/28 to 210.x.y.1 (the cisco) but this didn't seem to do anything. I don't think this is the right approach anyway, because the outgoing traffic wouldn't be destined for 210.x.y.0 anyway, but the entire internet.

    It seems like something that would need policy based routing - so traffic coming from 210.x.y.0/28 on the OPT1 interface would be routed via 210.x.y.1 (the cisco router) - but I don't have a spare interface on which to assign an IP from that class on the pfSense, and hence can't get the cisco router to show up in the dropdown for policy based routing.

    Could it be done with Virtual IPs somehow instead? Though, I'm not sure how to get the virtual IPs to route over to a different router.

    On paper, it seems like a Multi WAN situation, but as you can see from the diagram, I don't have an extra physical WAN interface available.

    Should I use the config.xml hack to add an extra interface and somehow set up policy based routing using it or is there a better way?

  • I got an idea, I'll try adding a VLAN interface and use that as a secondary WAN.

    Will report back with findings.

  • Note: I believe this should be moved to Routing/MultiWan

    I wasn't able to make this work. I made a better diagram:

    Note the "Desired Configuration" on the image.

    I can see connections coming in from the internet on the IP just fine. The Cisco still routes this connection because the IP is on its subnet and it is directly accessible.

    But replies will go out through the pfSense because that's the default gateway of the client.

    How can I make the pfSense route connections from 30.10.0.x/26 back to the Cisco?

    I tried using policy routing with a rule of Source 30.10.0.x/26 -> gateway IP: (dedicated VLAN interface to Cisco) - but, initially, pfSense just dropped the packet and didn't even let it exit the firewall even with a 'pass all' rule. I had my head scratching for a few hours until I tried changing 'keep state' to 'none' on the rule, and I could now see it leave the DMZ interface, but it now gets stuck trying to exit the VLAN interface. The 'none' trick didn't work here, no matter what I tried (pass all, etc), the firewall didn't let the packet go out.

    Here's the packet getting stuck on its way out:

    My understanding is that the following needs to happen:

    I looked through the pfSense book several times but couldn't find a similar scenario.

    Any ideas? Is this even possible or is there a better way?

    (I'm still not sure whether the Cisco will allow these packets to go out, they probably wouldn't have any state associated and they would come in on a different interface - the VLAN.)

Log in to reply