• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Same subnet, two firewalls

Scheduled Pinned Locked Moved NAT
14 Posts 3 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Skywlker
    last edited by Jul 31, 2014, 1:52 PM Jul 30, 2014, 1:16 PM

    Hi All.

    I've got a configuration with 2 ADSL lines, with 2 different firewalls, one of them is pfSense (let's call it FW1) while the other is an untouchable appliance (let's call it FW2). On the LAN, many servers (both Linux and Windows) are configured with pfSense as Gateway, while a bunch of them with the appliance as gateway.

    On pfSense I've configured an OpenVpn access, so I'm able to connect (via RDP, for instance) to a computer whose gateway is the pfSense itself.

    The problem is that, through OpenVpn or directly through a simple NAT rule, I cannot reach a server whose gateway is the appliance (the other firewall). It even doesn't reply to an ICMP request.

    Since the LAN configuration cannot be modified, I'm wondering if there's a way to respond to a request through the originating firewall, rather than the configured gateway.

    To help You better understand, here's a simple representation of the lan :

    Internet –-> FW1 (PfSense) ----
                                                |                    |---> SRV1 (GW FW1)
                                                |----- Lan -----|
                                                |                    |---> SRV2 (GW FW2)
    Internet ---> FW2 (?) ----------

    When I try to ping (example) SRV2 from FW1, looks like it reply through FW2.

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Jul 30, 2014, 1:35 PM

      Forgive the obvious, but why not change SRV2 to use FW1 instead of FW2?  Why are you running two firewalls with 2 WANs?  Some special custom doohickey with FW2?

      1 Reply Last reply Reply Quote 0
      • S
        Skywlker
        last edited by Jul 30, 2014, 1:44 PM

        It is not possible because there are dedicated services that run through FW2

        1 Reply Last reply Reply Quote 0
        • K
          KOM
          last edited by Jul 30, 2014, 1:55 PM

          What do you mean by 'dedicated services'?  You have some port forwards on FW2 that point to SRV2?  Or is FW2 itself providing some critical services?

          1 Reply Last reply Reply Quote 0
          • S
            Skywlker
            last edited by Jul 30, 2014, 2:02 PM

            I apologize for my English, it is very bad.

            FW2 providing a critical services to SRV2 and it is untouchable and unusable for other connectivity.

            1 Reply Last reply Reply Quote 0
            • K
              KOM
              last edited by Jul 30, 2014, 2:11 PM

              Your English is just fine, but I wanted to confirm what I thought you were saying.  I don't think this will ever work like this, or at least I do not know how if it is possible.  You are starting a session through one stateful firewall and getting replies from another completely different firewall, which your end is dropping.  Maybe one of the smarter network guys here has a trick up his sleeve, but I don't.

              1 Reply Last reply Reply Quote 0
              • S
                Skywlker
                last edited by Jul 30, 2014, 2:39 PM

                For best clarity

                Schema.jpg
                Schema.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • S
                  Skywlker
                  last edited by Jul 30, 2014, 2:54 PM

                  In addition to, with others firewalls (eg. Kerio Winroute :o) it was working

                  1 Reply Last reply Reply Quote 0
                  • V
                    vindenesen
                    last edited by Jul 30, 2014, 5:10 PM

                    I see two possible solutions:

                    • You could create an outbound NAT rule on FW1, that translates the source address on traffic destined for SRV2 to the LAN IP address of FW1. But this way, the logs on SRV2 will always display the IP address of FW1 as the client, when traffic from clients comes through FW1. Could be a security issue.

                    • Add static routes on SRV2 that tells it when to use FW1 as the gateway. For instance, add a static route on SRV2 that covers the subnet you use for OpenVPN clients.

                    Support the project by buying a Gold Subscription at https://portal.pfsense.org
                    Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                    1 Reply Last reply Reply Quote 0
                    • S
                      Skywlker
                      last edited by Jul 31, 2014, 7:24 AM

                      The solution 1 looks good to me but, before try it, I would like to understand how the traffic through FW2 is routed with this solution

                      1 Reply Last reply Reply Quote 0
                      • V
                        vindenesen
                        last edited by Jul 31, 2014, 9:44 AM

                        The traffic will not be routed through FW2, not when it originates from FW1. That's what the outbound NAT rule does. SRV2 will see the FW1 as the client, and since they are in the same subnet, it will not need to route the returning traffic to the default gateway. This won't affect the existing traffic that normally passes through FW2 towards SRV2.

                        Support the project by buying a Gold Subscription at https://portal.pfsense.org
                        Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                        1 Reply Last reply Reply Quote 0
                        • S
                          Skywlker
                          last edited by Jul 31, 2014, 9:57 AM

                          Perfect, I'll try as soon as possible

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • V
                            vindenesen
                            last edited by Jul 31, 2014, 10:04 AM

                            Remember to use your LAN-interface on the oubound NAT rule, and set the destination to SRV2 (or create an alias containing the server(s) and use that). If you know what source addresses that will be accessing SRV2 through FW1, you should also enter source address.

                            Support the project by buying a Gold Subscription at https://portal.pfsense.org
                            Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                            1 Reply Last reply Reply Quote 0
                            • S
                              Skywlker
                              last edited by Jul 31, 2014, 1:51 PM

                              Greate!!!!!  It's working perfectly with solution 1

                              Thank you very much!

                              1 Reply Last reply Reply Quote 0
                              14 out of 14
                              • First post
                                14/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received