Source routing to 2 gateways on same subnets
-
Hi all,
I am a noob in Pfsense, and i have a question about the basic architecture of my first lab.I have 1 subnet and 2 getway on it.
i want to route all paquets and protocols to the first gateway and only selected host to the second gateway ( all protocols and ports )What does i need 1,2,3 interfaces ?
I canno't use NAT because the gateway need to see the source host request.What can you think about this, Is it possible with Pfsense ?
-
Easy. Two interfaces, one to LAN and one to WAN. Configure the WAN with one of the gateways as the default. Create another gateway in System->Routing.
On the LAN, create a firewall rule ABOVE the pass any any rule that matches the traffic from the particular host and set the desired gateway.
Change the pass any any rule to send traffic to the other gateway (or if it's the default, just leave it alone).
I'd be more specific but your drawing is too small to read. Sorry.
NAT is usually on by default. It can be completely disabled by going to Firewall->NAT, changing to manual outbound, and deleting all the rules there.
-
Hi,
Thanks for your quickly answer,Your right, it's very small :)
172.16.1.1/24: Pfsense
I have try another distrib such as Zeroshell, its very simple but after 56K opens connections it's hang, Overload ! …
We have about 4000 users on 1Gb central internet access
I try to found a good distrib for PBR with 2 WAN ( 2 Firewalls on separate provider, because new and old provider )Do you have any trick for many users ?
I have installed it on VM with 4 vCPU and 4Gb RAM
Pfsense is used only for local routing from my Backbone to 2 firewalls.
I will try your solution tomorowBye
-
Hi,
Thank Derelic,
i have all configured as your write, but
i have a problem with incoming access from WAN to LANOn the LAN, same subnet 172.16.1.x, i have a server with services open from Internet.
I have checked the NAT on my firewall: Ok it have his public reserved IP ( Inside to Outside )
But access Outside to Inside are not good.Config:
GW:
GW_Provider1 (default) WAN 172.16.1.254
GW_Provider2 WAN 172.16.1.253Route: Nothing
Groupe: NothingInt:
em0 LAN 172.16.1.1
em1: WAN 172.16.1.2Rules:
Floating: NothingLAN:
Proto Source Port Destination Port Gateway Description-
-
- LAN Address 80/22 * Anti-Lockout
IPv4* 172.16.1.197 * * * GW_Provider2 Test User to GW2
IPv4* * * * * * All users
IPv4* LAN net * * * * Default
IPv6* LAN net * * * * Default IPv6
- LAN Address 80/22 * Anti-Lockout
-
WAN:
Proto Source Port Destination Port Gateway Description
IPv4* * * * * * Test for External accessNAT:
WAN:
Checked Manual Outbound NAT and deleted all linePerhaps is an asymetrical routing problem because the incoming connection from my firewall are routed directly to the host and the host answer it by passing through the Pfsense ?
I very need your help
-
-
Why is everything you're doing on 172.16.1? I don't understand your diagram at all.
-
Sorry i don t understand your question
-
Int:
em0 LAN 172.16.1.1
em1: WAN 172.16.1.2This makes no sense. Each segment needs its own IP subnet. I'm surprised pfSense even let you do that.
em0: 172.16.1.1/24
em1: 172.16.2.1/24Makes sense.
I think you're doing something very wrong. How about some interface, firewall rule, NAT rule screenshots?
-
Hi
please the detail in the screenshoot.This test is making under 172.16.90.0 network
-
I think the problem have caused by asymetrical routing.
so, if i enable: Bypass firewall rules for traffic on the same interface
The "Bypass firewall rules for traffic on the same interface" option located under System > Advanced on the Firewall/NAT tab activates rules for traffic to/from the static route networks which are much more permissive when it comes to creating states for TCP traffic and allowing it to pass. The rules allow any TCP packets, regardless of their flags, to create a state and also have the "sloppy state" type set which performs a less strict state match. "
source: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
Does firewall rules works for route traffic to certain gateways ?
-
Also what are your lan and wan subnet mask. Looks like your lan and wan are overlapping networks which won't work. Probably should be some input validation in pfsense to not let that happen.
-
This guy is all kinds of hosed.
No offense, bro, but if you're not going to go with the defaults, you have to know what you're doing. Same is true for ANY router.
Stick with /24, do what your ISP tells you on WAN, and it'll probably work.
-
I am not offended,
I know what i am trying to do and i know that is the single solution so it's an asymmetrical routing, because the firewalls are on the same subnet and the ACK are sended directly from the firewall to the end device.
I have found, for the outgoing traffic,
i need the decrease TCP timeout because the ACK does not pass through the router and decrease TCP timeout are result decrease the number of active session in the router.So, i just have a last problem caused by the incoming traffic, by the inspection.
When the traffic come from the firewall to the end device ( TCP-SYN ) the ACK try to pass through the router and are dropped.( because the inspection don't see the TCP-SYN, so it drop the ACK )I have try the same topologies ( on virtual environment ) with an Cisco ASR1001.
I have disable all inspection in the ASR and the result seem to be ok.The TCP traffic topologies needed:
Outgoing traffic:
TCP-SYN from device > main backbone (by routing) > Router (by routing) > Firewall > Internet
TCP-ACK from Internet > Firewall > main Backbone > End device
Solution proposal: Decrease TCP Timeout for not to have too many active sessionsIncoming traffic:
TCP-SYN From Internet > Firewall > main Backbone > End device
TCP-ACK From device > main backbone (by routing) > Router (by routing) > Firewall > Internet
Need solution to bypass/disable inspection otherwise is droppedIs just a temporary solution for 3 months, after we have only one ISP
Any idea ?
-
so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.