2 FW/ Gateways, 2 VPNs - 1 netwo - not all systems accessible pending on gateway



  • Hello all,

    I think i have a..unique situation here, unique for someone clueless in somethings apparently.

    To lay it out, we are migrating from our old network to a new network, mainly a new firewall and ISP, same LAN and internal ranges.

    Old network
    FreeBSD firewall as the main FW/Gateway  LANIP 10.0.2.1
    LAN IP Range 10.0.0.1/24

    New PFSense Firewall  LANIP 10.0.2.254
    LAN IP Range  10.0.0.1/24  - same range

    We have static IP's set on all servers, basically all iam doing is changing the Gateway from 10.0.2.1 to 10.0.2.254 on systems i am moving over to our new network, the new network is also on a new ISP as well.

    The issue i am having is this. We have a VPN connection which goes through the old firewall network, however via that VPN connection FressBSD, you can not RDC into systems with the gateway set for the new PFSense server , 10.0.2.254

    And vice versa, systems with the gateway 10.0.2.1 can not be accessed via the PFSense VPN.

    I know this is a routing issue i didn't configure right but not sure where.

    I have VLAN's with in my pfsense all bound to igb3 , LAN physical interface, since the VLAN's have their own ranges and we assign by static IP's, my igb3 has no IP set on it.

    Not sure if this could be the issue or not, but wanted to get some input first



  • This is normal behavior. It is supposed to be that way. it's how routing works ;)

    1)VPNUSER01 sends packet through BSD to LANPC01.
    2)LANPC01 wants to send packet back to VPNUSER01. VPNUSER01 is located in a different subnet; LANPC01 has no static route for that subnet; LANPC01 sends packet to default gateway. (PFsense)

    every possible "routing" fix for this will be an ugly hack involving static routes on your lan-devices to particular vpn subnets, or static routes on both BSD&Pfsense.

    can't you just RDP to a device within subnet with correct GW | then RDP from there to the next device ?



  • every possible "routing" fix for this will be an ugly hack involving static routes on your lan-devices to particular vpn subnets, or static routes on both BSD&Pfsense

    Yes, what heper said.
    Your other possibilities:

    1. Migrate everything this weekend and switch off the old router - this is always my preferred solution, be the "network/system manager from hell", cut it all over quick and just wait for what goes wrong and fix it quickly on-the-fly  :)
    2. On each migrated server (which now has pfSense LAN IP as the gateway) add static route/s pointing to the various subnet/s that are reached through the VPN links on the FreeBSD router, with the gateway for those routes 10.0.2.1
    3. Move the VPNs over from the FreeBSD router to the pfSense router - then you will reach the migrated servers and not the old ones  :D


  • Appreciate the response, good to know the cause!

    I will likely then just stick with the moving everything over route over the next 2 weeks, the people who need access to all the server's can RDP into one box and then go over, that will work for now, was just hoping if there was a quick fix i could do that for now.


  • LAYER 8 Global Moderator

    I think you made a typo in your /24

    New PFSense Firewall  LANIP 10.0.2.254
    LAN IP Range  10.0.0.1/24  - same range

    10.0.2 is not the same network as 10.0.0 with a /24 – do you have say a /8 or a say a /22 which would put 10.0.0 on the same network as 10.0.2 ?


Log in to reply