Static route to internal router
-
Hi all,
I apologise if this is covered elsewhere, but I think I'm too stupid at this point to even figure out what to search for.
We have set up a pfSense firewall on an existing network and in the most part it's been a breeze and is working beautifully. One final niggle was regarding email notification of phone messages.
Our LAN consists of two VLANs, one for computers and one for Cisco IP telephones. There is a router (I believe actually a layer 3 switch) in place that can route traffic between the subnets/VLANs when required - accessing the phone system for configuration and in the opposite direction, for the phone system to access the email server. A static route on pfSense sorts out the former, but the latter is proving a little more complicated.
I believe what is happening, is this:
The phone switch makes a connection to our mail server on the internal network via the router.
The router sends the packets directly to the mail server.
The mail server responds to the initiation of the TCP connection back via it's only possible route - the default gateway (pfsense).
Because pfsense hasn't seen the initiation of the connection, it rejects the response which never gets back to the phone switch.
The TCP connection never gets properly initiated so the mail doesn't get sent.Temporarily, I have resolved the matter by adding a static route to the mail server giving it the router's IP address as the gateway for access to the VLAN. However, this doesn't seem to be the correct solution. How should it be done? Should the router be configured to route all traffic destined for the LAN subnet via pfSense, even though it's on the LAN subnet itself?
Many thanks for any suggestions that may be forthcoming, even hints of the right search terms required.
Darran
-
You're right about the problem's cause.
Well… Do you need any restriction between your VLAN's? If you don't, my advice is to use the router (or the L3 switch) as default gateway for both of your VLAN's (quicker packet treatment, less CPU overhead on pfSense,...). The best practice is to create another VLAN (let's call it FW or firewall) and to configure it between your router and your pfSense. So, you'll have:
-
3 VLANs: DATA (e.g. 192.168.1.0/24), VOICE (e.g. 192.168.2.0/24) and FW (e.g. 192.168.3.0/24)
-
Default gateway of DATA and VOICE VLANs will be the L3 device (e.g. 192.168.1.254 & 192.168.2.254)
-
The address of your pfSense LAN interface will be - for example - 192.168.3.1 and for the L3 device in the FW VLAN will be - always for example - 192.168.3.254
-
The default gateway of your L3 device will be the pfSense (e.g. 192.168.3.1)
-
You'll have to add static route on your pfSense for your 2 internal VLAN (192.168.1.0 & 192.168.2.0) with 192.168.3.254 as destination
But if you need restrictions between your VLANs, configure those VLANs on your pfSense (or use 2 interfaces) and change your default gateway from L3 device to pfSense.
Hope this helps.
-
-
That's great, thanks for the information.
Glad to know I wasn't going completely mad in my understanding.