Routing different subnets from multiple sources
-
Hello all:
I have a unique situation involving a lot of weird nonsense contracts which leaves me with two firewalls.
I have my primary router/firewall as a pfSense machine and a secondary router/firewall as a SonicWALL TZ210.
The only thing that is behind the sonic wall is a single server, where as the rest of my network (Wifi, workstations, etc) is done through pfsense.
Each firewall has its own WAN IP.
The server behind the SonicWALL has a LAN IP of 10.196.54.132 in the network 10.196.54.128/26
My workstations are behind the pfSense machine with various IP's within the network 10.1.10.0/24
Both networks leave their respective firewalls and head out to a switch on a VLAN (Both in the same VLAN) and eventually end up at workstations.
Here is what I am looking for:
I need to have the workstations on the 10.1.10.0/24 network be able to see the server on the 10.196.54.128/26 network.
I tried setting up an IPsec tunnel to connect the firewalls, but the latency of the tunnel was causing software issues with the proprietary software behind the SonicWALL.
Here is a map of the physical layout
WAN -> pfSense (10.1.10.0/24) –-------> Switch (VLAN 10 ON BOTH) --> Workstation (10.1.10.103)
| | |
-> SonicWall (10.196.54.128/26) –----| |---> Server (10.196.54.132)Somehow the workstation needs to be able to see the server.
-
I have found the solution to my problem.
I added a virtual IP alias within pfSense with an IP address that matches my gateway in the sonic wall (with /26 mask bit).
I then added the proper firewall rules on the pfSense and SonicWALL box.
Finally, I added proper outbound NAT rules on pfSense.
NAT Rule 1: Source - 10.1.1.0/24, NAT Address - WAN NAT Rule 2: Source - 10.196.54.128/26, NAT Address - 10.196.54.129 (Virtual IP Alias)
Rebooted both devices for good measure, and it worked!
What's funny is that I did this exact thing initially, but for some reason it did not work (maybe I wasn't patient enough?). Tried it again 8 hours later and it worked. Networking can be interesting some time. :)
-
I think I got ahead of my self with this one.
Although my solution (somewhat) works, since I set the Virtual IP to the same IP as the SonicWALL gateway, I get a collision of some kind with the IP's which causes all sorts of networking issues. I changed the Virtual IP to one up in the range (10.196.54.130) which is an unused IP, but now my pfSense network (10.1.10.0/24) can't see my SonicWALL network (10.196.54.128/26), where as it worked fine with the gateway IP.
When I browse to the Virtual IP of 10.196.54.130 from my pfSense network, I get the login page for pfSense.
I'm somewhat lost on a solution to this one.
-
Both networks leave their respective firewalls and head out to a switch on a VLAN (Both in the same VLAN) and eventually end up at workstations.
Unsound network design leads to unsound results. Having two IP networks on one network segment usually leads to sadness and despair.
This is simply going to be a problematic routing situation because of the two gateways. The solution I would suggest is to take an interface on each router and connect the two routers in a point-to-point fashion. You can then set one default gateway on each network segment and tell the two routers to route the LANs between them, firewalling only specific traffic if you need to. Do you have another interface in each router? You could use a third VLAN (You should have two already) if you don't (and the SonicWALL does that - it's been a while for me).
This is assuming you really can't put everything behind pfSense and ditch the SonicWALL or vice versa and a VPN really isn't an option.
-
Both networks leave their respective firewalls and head out to a switch on a VLAN (Both in the same VLAN) and eventually end up at workstations.
Unsound network design leads to unsound results. Having two IP networks on one network segment usually leads to sadness and despair.
This is simply going to be a problematic routing situation because of the two gateways. The solution I would suggest is to take an interface on each router and connect the two routers in a point-to-point fashion. You can then set one default gateway on each network segment and tell the two routers to route the LANs between them, firewalling only specific traffic if you need to. Do you have another interface in each router? You could use a third VLAN (You should have two already) if you don't (and the SonicWALL does that - it's been a while for me).
This is assuming you really can't put everything behind pfSense and ditch the SonicWALL or vice versa and a VPN really isn't an option.
I took your advice to separate them out in vlans and use an interface on each machine to link them, but it has caused a new issue.
Network 1 - pfSense 10.0.10.0/24
Network 2 - SonicWALL 10.196.54.128/26
On the pfSense side, I have added an interface with a static IP of 10.196.54.130 (unused IP on the network). I made a new gateway on the pfSense box attached to that interface with a gateway IP of 10.196.54.129 (The same gateway as the SonicWALL network).
On the SonicWALL side, I have added an interface with a static IP of 10.1.10.2 (unused IP on the network). I made a new gateway on the SonicWALL box attached to that interface with a gateway IP of 10.1.10.1 (The same gateway as the pfSense Network).
I then added firewall rules to allow all traffic between each.
At this point it works, somewhat. From the 10.1.10.0/24 network, I can ping machines on the 10.196.54.158 network, I can browse windows shares on that network, etc. All seems to work.
On the other side (The 10.196.54.128/26 network) I can ping machines on the 10.1.10.0.24 network, but I cannot browse windows shares, I was able to add a network printer on the machine with an IP of 10.196.54.158 (Printer IP: 10.1.10.201), but it will not print.
My thoughts where the firewall rules, but I have it set to allow all from all on both sides.
Any thoughts on to why I am able to ping, but I cannot do anything else?
Firewall logs on pfsense seem to show that traffic is being blocked, my guess is that it has to do with asymmetric routing? I enabled the option to bypass firewall rules from the same interface, but it doesn't seem to work.
-
The link between the two should be a new subnet on a new interface/vlan interface, not something out of one of the existing ones.
