Route Redirection



  • This question just popped into my head - and since I'm a Cisco guy, I always compare pfSense into what I know about PIX firewalls.

    Will pfSense do redirection?  A Cisco PIX will not.

    Here is the scenario (this is not real, it is just an exercise in posing the question and soliciting an answer):

    Two private LANs, 10.10.x.x/16 and 10.20.x.x/16
    One Internet Connection
    Two Cisco 1700 series routers, terminating a private T1 in between 10.10 and 10.20
    A PIX506 in between 10.10 and the Internet

    Cisco Router A:
    FastEthernet0/0: 10.10.254.2/16
    Serial0/0:  10.254.10.1/16
    Routes:
    net 0.0.0.0 mask 0.0.0.0 gateway 10.10.254.1
    net 10.20.0.0 mask 255.255.0.0 gateway 10.254.20.1
    net 10.10.0.0 mask 255.255.0.0 directly connected FastEthernet0/0
    net 10.254.0.0 mask 255.255.0.0 directly connected Serial0/0

    Cisco Router B:
    FastEthernet0/0: 10.20.254.1/16
    Serial0/0: 10.254.20.1/16
    Routes:
    net 0.0.0.0 mask 0.0.0.0 gateway 10.254.10.1
    net 10.20.0.0 mask 255.255.0.0 directly connected FastEthernet0/0
    net 10.254.0.0 mask 255.255.0.0 directly connected Serial0/0

    PIX506 IP addresses:
    Ethernet0, inside (LAN):  10.10.254.1/16
    Ethernet1, outside (WAN):  <some public="" ip="">Routes:
    net 0.0.0.0 mask 0.0.0.0 gateway <some public="" ip="">net 10.20.0.0 mask 255.255.0.0 gateway 10.10.254.2
    net 10.10.0.0 directly connected Ethernet0

    Workstations in the 10.20 network have 10.20.254.1 as their gateway for everything, their routing table is very simple:
    net 0.0.0.0 mask 0.0.0.0 gateway 10.20.254.1

    Workstations in the 10.10 network however have a choice of two different gateways, depending upon their destination:
    net 10.20.0.0 mask 255.255.0.0 gateway 10.20.254.2 (the LAN at the other office)
    net 0.0.0.0 mask 0.0.0.0 gateway 10.20.254.1  (the internet)

    Now, if make my workstation in the 10.10 network have a default gateway of 10.10.254.1, I will be able to get out to the internet, but I will NOT be able to get to the 10.20 network.
    Even though the PIX supposedly knows about the 10.20 network, it will NOT redirect me to Cisco Router A to get there.
    I must make my workstation's default gateway 10.10.254.2 - it will redirect me to the PIX when I need a route that it doesn't already know about.

    So, in summary:
    A Cisco PIX Firewall will not redirect to a router for WAN links.
    You need a router as your gateway - that router then handles your packets destined for the private networks, and when properly configured will redirect your packets destined for the Internet over to the PIX.
    If I traceroute from my workstation to 10.20, I'll see the Cisco 1700 series routers on my way to that private network.
    If I traceroute an Internet host, I'll see the PIX on my way out.

    This scenario is encountered frequently when a business has one office and an internet connection - all workstations in that one office have the PIX as their default gateway - it is the only gateway at that time.  When the business grows and they get a second office, they need to expand.  They get a T1, two routers, and light up the second office.
    Now, people in the first office are going "hey, we can get out to the internet, but we cannot ping anyone in the second office, what's up?"
    Their default gateway needs to be changed to the new router - because a PIX will not do redirection.

    And now back to the question:
    Will pfSense do redirection to another router/gateway on a directly-connected subnet I wonder?</some></some>



  • Yeah, the PIX will not send traffic back OUT the interface the traffic came in. This is by design, but sometimes it's a PITA.
    PfSense will work fine, just add the static route and check the box under advanced for static route filtering.


Locked