Routing Direction

  • I have a question on how pfSense does its routing. The situation that I have and that I’m debating with my colleague (IT Admin) is what route is being taken. I have an idea of how it’s being routed but he disagrees.

    Current Working Scenario

    I have some dated WatchGuard’s Firewalls that we’re currently using and the setup is as follows (see attached “Current WatchGuard setup”). As can be seen, our Ohio office tunnels through the Ontario office in order to reach our Hosting provider. This was setup temporarily as it’s not the most ideal setup.

    We also have some Mobile VPN users that connect to the Ontario WG box and allow access to all three sites accordingly.

    We have a hosting provider that houses a bunch of Virtual servers for us. I have no control over the Juniper FW that is being used there. They have all subnets allowed through the IPsec tunnel
    No problems with routing in this scenario

    Testing Scenario

    I’m wishing to move to using some new pfSense boxes. I currently have them configured and working. We’re currently testing routes & rules to be similar to the current setup, except for the tunnel of our Ohio office. The new scenario (see attached, “Testing Setup”); will have our Ohio office with a direct link to our Hosting provider. As can be seen, the pfSense boxes have a GW of .2 for testing purposes. I’ve setup tunnels to our Hosting provider as well. So essentially I have 2 tunnels connected from Ontario to the Hosting Provider (WG & pfSense); and the same from Ohio to Hosting Provider; and last 2 tunnels from Ohio to Ontario (WG & pfSense).

    Now when testing connections from either VPN user group or using a PC configured to us .2 as the gateway, I know I will not get a response from Ontario, or Ohio as the end point is still configured to use .1 as the GW. I know I can use routes to get around this, but as soon as I activate the pfSense boxes from .2 to a .1 gateway to take over WG, this will become null and void.

    Now the question I have about routing is this; in the testing setup what Route is used if I do the following:

    Ping from VPN user -> Hosting provider server
    Ping from PC (using .2 GW) -> Hosting provider server

    My though is that using an active state, the connection will come back the same GW (.2) from the hosting provider. My colleague disagrees and says that the hosting provider will use WatchGuard as that’s its default GW. But there is only ONE GW on the hosting provider, so it would/should use the route that it received the request shouldn’t it?

    My thought about the route directed back the same path would have to be correct using the VPN. The new VPN users (172.16.x5.0/25) are not even configured to be allowed across the WatchGuard IPsec tunnels and therefore would be blocked.

    So the little unknown that I have and the reason for posting this question is that I can’t view the logs from the Juniper FW. All info I can see from WG & pfSense boxes show an active state being connected from the pfSense route and nothing coming back the WG. Would this be correct?

    Sorry for the long post.

    ![Current WatchGuard Setup.png](/public/imported_attachments/1/Current WatchGuard Setup.png)
    ![Current WatchGuard Setup.png_thumb](/public/imported_attachments/1/Current WatchGuard Setup.png_thumb)
    ![Testing Setup.png_thumb](/public/imported_attachments/1/Testing Setup.png_thumb)
    ![Testing Setup.png](/public/imported_attachments/1/Testing Setup.png)

Log in to reply