Do I need static routing in this scenario?

bushtor · Dec 27, 2007, 9:07 AM

Hi,

I have a pfsense box with 4 nics, WAN, LAN1 (192.168.1.1), LAN2 (192.168.2.1) and CommonLan (192.168.3.1).

Internet works fine on all interfaces and this is not the issue here ;-)

CommonNet hosts our intranet and ftp server and this subnet should be reachable from both LAN1 and LAN2 on port 20/21 and 80. However I don't want LAN1 and LAN2 to be able to talk to each other, they should only be able to reach the CommonNet subnet.

On the 'Static routes' page, this note is written: "Do not enter static routes on any interface assigned of this firewall…"

Does this mean that I don't need static routes in my case? -- and in order to achieve the above goal I just need to write firewall rules for LAN1 and LAN2 with destination CommonNet for the above port numbers?

Please advice ;-)

Tor

Perry · Dec 27, 2007, 10:09 AM

Yes you don't need static routing, just add a block rule on top of the default lan rule

Block rule Source=Lan1 net destination=Lan2 net

bushtor · Jan 3, 2008, 7:13 AM

@Perry:

Block rule Source=Lan1 net destination=Lan2 net

OK, but isn't everything blocked by default?

I thought I just had to write access rules, say, to allow only http and ftp requests from LAN1 and LAN2 clients to CommonNet:

Interface LAN1: Source=LAN1 Dest=CommonNet SourcePort=20,21,80
Interface LAN2: Source=LAN2 Dest=CommonNet SourcePort=20,21,80

Comments, please ;-)

rgds

Tor

Perry · Jan 3, 2008, 1:58 PM

Let me try to explain how you should see the "flow of traffic".
What you control with rules are what to do with the traffic coming from the cable to the nic.

Pc–>--cable--->---nic--->---pfsense rule---->--nic2--->--cable2-->--pc2

So if you place the default lan rule on nic every bits and bytes will hit pc2 so to speak. To do it so makes sense in the case that we have the internet and seldom know where to go.

OK, but isn't everything blocked by default?

Yes it is…If you have no rules on nic the traffic form pc can't go anywhere....

hope it helps :)

bushtor · Jan 9, 2008, 7:29 AM

Thanks for the useful info

Now say that I have three lan nics (in addition to wan). Nic1 at 192.168.10.1, Nic2 at 192.168.15.1 and Nic3 at 192.168.20.1, both Nic1 and Nic3 with default rules as of wan access (Internet works ok)..

In addition, any traffic from either Nic1 or Nic3 to subnet 192.168.30.0/24 should be routed via Nic2. Nic2 is connected to another router with ip 192.168.15.254. (Another port on that other router is connected to the 192.168.30.0/24 subnet which Ni1 and Nic3 need to communicate with).

Do I use static routes or nat in this case? Traffic to the 192.168.30.0/24 subnet from workstations connected to Nic1 and Nic3 should be routed via 192.168.20.254 to find the 192.168.30.0/24 net.

Thanks a lot if someone can comment on this

Tor

bushtor · Jan 8, 2008, 10:21 PM

Hi folks,

I would be very grateful if someone could help me out with the above question, I understand that it might me off-topic, but this is the only issue left before our pfsense works just as needed…

regards Tor

GruensFroeschli · Jan 9, 2008, 5:17 PM

Why dont you just try it?
If it's not working i'm sure someone might help you.

Yes. If you want to reach another subnet behind a router on NIC2 then yes you need to add a static route.