Source routing to 2 gateways on same subnets



  • Hi all,
    I am a noob in Pfsense, and i have a question about the basic architecture of my first lab.

    I have 1 subnet and 2 getway on it.
    i want to route all paquets and protocols to the first gateway and only selected host to the second gateway ( all protocols and ports )

    What does i need 1,2,3 interfaces ?
    I canno't use NAT because the gateway need to see the source host request.

    What can you think about this, Is it possible with Pfsense ?


  • LAYER 8 Netgate

    Easy.  Two interfaces, one to LAN and one to WAN.  Configure the WAN with one of the gateways as the default.  Create another gateway in System->Routing.

    On the LAN, create a firewall rule ABOVE the pass any any rule that matches the traffic from the particular host and set the desired gateway.

    Change the pass any any rule to send traffic to the other gateway (or if it's the default, just leave it alone).

    I'd be more specific but your drawing is too small to read.  Sorry.

    NAT is usually on by default. It can be completely disabled by going to Firewall->NAT, changing to manual outbound, and deleting all the rules there.



  • Hi,
    Thanks for your quickly answer,

    Your right, it's very small :)

    172.16.1.1/24: Pfsense

    I have try another distrib such as Zeroshell, its very simple but after 56K opens connections it's hang, Overload !  …

    We have about 4000 users on 1Gb central internet access
    I try to found a good distrib for PBR with 2 WAN ( 2 Firewalls on separate provider, because new and old provider )

    Do you have any trick for many users ?

    I have installed it on VM with 4 vCPU and 4Gb RAM
    Pfsense is used only for local routing from my Backbone to 2 firewalls.
    I will try your solution tomorow

    Bye



  • Hi,

    Thank Derelic,
    i have all configured as your write, but
    i have a problem with incoming access from WAN to LAN

    On the LAN, same subnet 172.16.1.x, i have a server with services open from Internet.
    I have checked the NAT on my firewall: Ok it have his public reserved IP ( Inside to Outside )
    But access Outside to Inside are not good.

    Config:

    GW:
    GW_Provider1 (default) WAN 172.16.1.254
    GW_Provider2 WAN 172.16.1.253

    Route: Nothing
    Groupe: Nothing

    Int:
    em0  LAN  172.16.1.1
    em1: WAN 172.16.1.2

    Rules:
    Floating: Nothing

    LAN:
    Proto Source Port Destination Port Gateway Description

        • LAN Address 80/22 * Anti-Lockout
          IPv4* 172.16.1.197 * * * GW_Provider2 Test User to GW2
          IPv4* * * * * * All users
          IPv4* LAN net * * * * Default
          IPv6* LAN net * * * * Default IPv6

    WAN:
    Proto Source Port Destination Port Gateway Description
    IPv4* * * * * * Test for External access

    NAT:
    WAN:
    Checked Manual Outbound NAT and deleted all line

    Perhaps is an asymetrical routing problem because the incoming connection from my firewall are routed directly to the host and the host answer it by passing through the Pfsense ?

    I very need your help


  • LAYER 8 Netgate

    Why is everything you're doing on 172.16.1?  I don't understand your diagram at all.



  • Sorry i don t understand your question


  • LAYER 8 Netgate

    Int:
    em0  LAN  172.16.1.1
    em1: WAN 172.16.1.2

    This makes no sense.  Each segment needs its own IP subnet.  I'm surprised pfSense even let you do that.

    em0: 172.16.1.1/24
    em1: 172.16.2.1/24

    Makes sense.

    I think you're doing something very wrong.  How about some interface, firewall rule, NAT rule screenshots?



  • Hi
    please the detail in the screenshoot.

    This test is making under 172.16.90.0 network



  • I think the problem have caused by asymetrical routing.

    so, if i enable:  Bypass firewall rules for traffic on the same interface

    The "Bypass firewall rules for traffic on the same interface" option located under System > Advanced on the Firewall/NAT tab activates rules for traffic to/from the static route networks which are much more permissive when it comes to creating states for TCP traffic and allowing it to pass. The rules allow any TCP packets, regardless of their flags, to create a state and also have the "sloppy state" type set which performs a less strict state match. "

    source: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

    Does firewall rules works for route traffic to certain gateways ?



  • Also what are your lan and wan subnet mask. Looks like your lan and wan are overlapping networks which won't work. Probably should be some input validation in pfsense to not let that happen.


  • LAYER 8 Netgate

    This guy is all kinds of hosed.

    No offense, bro, but if you're not going to go with the defaults, you have to know what you're doing.  Same is true for ANY router.

    Stick with /24, do what your ISP tells you on WAN, and it'll probably work.



  • I am not offended,

    I know what  i am trying to do and i know that is the single solution so it's an asymmetrical routing, because the firewalls are on the same subnet and the ACK are sended directly from the firewall to the end device.

    I have found, for the outgoing traffic,
    i need the decrease TCP timeout because the ACK does not pass through the router and decrease TCP timeout are result decrease the number of active session in the router.

    So, i just have a last problem caused by the incoming traffic, by the inspection.
    When the traffic come from the firewall to the end device ( TCP-SYN ) the ACK try to pass through the router and are dropped.( because the inspection don't see the TCP-SYN, so it drop the ACK )

    I have try the same topologies ( on virtual environment ) with an Cisco ASR1001.
    I have disable all inspection in the ASR and the result seem to be ok.

    The TCP traffic topologies needed:
    Outgoing traffic:
    TCP-SYN from device > main backbone (by routing) > Router (by routing) > Firewall > Internet
    TCP-ACK from Internet > Firewall > main Backbone > End device
    Solution proposal: Decrease TCP Timeout for not to have too many active sessions

    Incoming traffic:
    TCP-SYN From Internet > Firewall > main Backbone > End device
    TCP-ACK From device > main backbone (by routing) > Router (by routing) > Firewall > Internet
    Need solution to bypass/disable inspection otherwise is dropped

    Is just a temporary solution for 3 months, after we have only one ISP

    Any idea ?



  • so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.


Log in to reply