Route lan interface subnet via another router.

  • I have a bit of an odd setup I'm trying to achieve.

    LAN has clients routing via a L3 switch, we'll call this gw2. GW2 has a default route that points to pfsense (gw1).

    The problem here is that internet/vpn traffic coming via pfsense ends up with an asymmetric route. Internet traffic to clients within the same subnet as the pfSense machine go gw1 -> Client, but in reverse order it goes client -> gw2 -> gw1 etc.

    Now this seems to be fine for internet traffic, presumably as a result of NAT, maybe? But for OpenVPN traffic, it seems to cause problems, presumably down to the stateful nature of pfsense.

  • From your description, pfSense (gw1) is the gateway to the "real public internet" and gw2 goes to some other networks (presumably networks with private IP ranges behind gw2).
    If so, then the LAN clients should use pfsense (gw1) as their default gateway. That will resolve the asymmetric routing problem for normal internet traffic.
    Then you get asymmetric routing when LAN clients send to addresses behind gw2 - the clients send to their default gateway (gw1) which redirects the traffic to gw2. The replies from behind gw2 are delivered direct to clients on LAN. So pfSense (gw1) cannot keep track of the states. You can:
    a) switch on sloppy states to allow this, or
    b) on pfSense you could NAT traffic coming from LAN that is directed to networks behind gw2 (then the networks behind gw2 see all the traffic as coming from the pfsense LAN IP, so replies get delivered back to pfSense LAN IP, and get unNATed there and delivered to clients. That forces symmetric routing, but means the networks behind gw2 do not get to know the real source IPs of the clients. or
    c) Put gw2 on a serate [NIC|VLAN] and subnet on pfSense. Then traffic to behind gw2 has to transit through pfSense in both directions - no asymmetric routes.

Log in to reply