[SOLVED] Same subnet, two firewalls



  • Hi All.

    I've got a configuration with 2 ADSL lines, with 2 different firewalls, one of them is pfSense (let's call it FW1) while the other is an untouchable appliance (let's call it FW2). On the LAN, many servers (both Linux and Windows) are configured with pfSense as Gateway, while a bunch of them with the appliance as gateway.

    On pfSense I've configured an OpenVpn access, so I'm able to connect (via RDP, for instance) to a computer whose gateway is the pfSense itself.

    The problem is that, through OpenVpn or directly through a simple NAT rule, I cannot reach a server whose gateway is the appliance (the other firewall). It even doesn't reply to an ICMP request.

    Since the LAN configuration cannot be modified, I'm wondering if there's a way to respond to a request through the originating firewall, rather than the configured gateway.

    To help You better understand, here's a simple representation of the lan :

    Internet –-> FW1 (PfSense) ----
                                                |                    |---> SRV1 (GW FW1)
                                                |----- Lan -----|
                                                |                    |---> SRV2 (GW FW2)
    Internet ---> FW2 (?) ----------

    When I try to ping (example) SRV2 from FW1, looks like it reply through FW2.



  • Forgive the obvious, but why not change SRV2 to use FW1 instead of FW2?  Why are you running two firewalls with 2 WANs?  Some special custom doohickey with FW2?



  • It is not possible because there are dedicated services that run through FW2



  • What do you mean by 'dedicated services'?  You have some port forwards on FW2 that point to SRV2?  Or is FW2 itself providing some critical services?



  • I apologize for my English, it is very bad.

    FW2 providing a critical services to SRV2 and it is untouchable and unusable for other connectivity.



  • Your English is just fine, but I wanted to confirm what I thought you were saying.  I don't think this will ever work like this, or at least I do not know how if it is possible.  You are starting a session through one stateful firewall and getting replies from another completely different firewall, which your end is dropping.  Maybe one of the smarter network guys here has a trick up his sleeve, but I don't.



  • For best clarity




  • In addition to, with others firewalls (eg. Kerio Winroute :o) it was working



  • I see two possible solutions:

    • You could create an outbound NAT rule on FW1, that translates the source address on traffic destined for SRV2 to the LAN IP address of FW1. But this way, the logs on SRV2 will always display the IP address of FW1 as the client, when traffic from clients comes through FW1. Could be a security issue.

    • Add static routes on SRV2 that tells it when to use FW1 as the gateway. For instance, add a static route on SRV2 that covers the subnet you use for OpenVPN clients.



  • The solution 1 looks good to me but, before try it, I would like to understand how the traffic through FW2 is routed with this solution



  • The traffic will not be routed through FW2, not when it originates from FW1. That's what the outbound NAT rule does. SRV2 will see the FW1 as the client, and since they are in the same subnet, it will not need to route the returning traffic to the default gateway. This won't affect the existing traffic that normally passes through FW2 towards SRV2.



  • Perfect, I'll try as soon as possible

    Thanks!



  • Remember to use your LAN-interface on the oubound NAT rule, and set the destination to SRV2 (or create an alias containing the server(s) and use that). If you know what source addresses that will be accessing SRV2 through FW1, you should also enter source address.



  • Greate!!!!!  It's working perfectly with solution 1

    Thank you very much!