Set static route but cant port forward
-
hi all,
i have set up a static route to another subnet on another network but when i port forward HTTP traffic to my apache website i cant view it on the web browser, i can ping it using pfsense ping command so im guessing if i can do that i have set both static routes up correctly, ie for my pfsense machine and vlan switch which is where my apache server is on
many thanks
rob
-
Does your firewall allow that traffic to pass between subnets?
-
Yes i have created a LAN rule to allow any traffic to talk to eachother
-
Can you post screen shots of the firewall rules and static route configs?
-
-
may the reason be that this is my second firewall (it has got another WAN address) and that all my other computers/devices have got there respective vlan ip gateways (on the switch) and those gateways all route to my main firewall via a static route and visa versa from my main firewall to the switch
my static route works btw as i did a test, i disabled the static route on my pc (which is not on the LAN of my pfsense using one of the vlan gateway ip addresses) and i lost connection, the only way i could enable it was to go on a pc on the LAN of the pfsense and re-enable it again
-
What?? Sounds like you have a mess and asymmetric routing
"all my other computers/devices have got there respective vlan ip gateways (on the switch) and those gateways all route to my main firewall via a static route and visa versa from my main firewall to the switch"
So your switch is doing layer 3 routing as well?
If you have clients that use firewall 1 as their gateway, and you forward in traffic on firewall 2.. PC would send answer to firewall 1.
A drawing of your network would be most helpful!
-
heres a pic of what i mean
basically my pc can go on the webpage of pfsense so the static route is working (as the two are on different ranges, when i disable the static route i lose connection to the pfsense fw)
but when i create an apache server on my pc and port forward to it and from a public pc i test it out but it doesnt work
but if i change my pc vlan ip to the 10 range ie local range of the pfsense fw it works
also do you think because on my vlan sw i have just created one static route to my tmg fw, do you think this is why its not working
-
Dude what part did not understand about asymmetric routing??
So I am from 1.2.3.4 on the public internet.. And I want hit your web page on your pc. I hit your public IP on pfsense.. Pfsense forwards it - red arrow… Now machine says oh I have to send answer to 1.2.3.4 where does it go? Green Arrow towards you default 0.0.0.0 route of 172.16.24.254
That is going to be Syn,ack not syn... Quite possible your firewall wouldn't even allow that? And even if does -- now I would be natted to that firewalls public IP and 1.2.3.4 would say what the F why am I getting back syn,ack from 5.6.7.8 when I sent it to 9.10.11.12
-
So how can i resolve this, shall i add a new static route to the vlan switch
If i do add another static route to the vlan switch how can i make sure its not the default one as i want to us tmg static route as the main one
-
How do you solve it? You forward traffic into your network from the device the traffic uses as its outbound..
Why do you need 2 firewalls like that? Why not just 1 firewall with 2 wan connections? If you going to try and fix it for routing then you need to know the source of the traffic 1.2.3.4 in my case and setup a route on your switch that says hey if going to 1.2.3.4 use 2nd firewall.
But this is a problem for if you actually want to use firewall wan to go to 1.2.3.4 on your own something connection for something else not forwarded.
I am curious why you even have a downstream L3 switch? Why not just have all the segments connected to your firewall so that you can firewall between your segments? Do you pump alot of data between segments and firewalling is not an issue. Why would you not have setup a transit network?
So you end up something like this
-
Basically tmg sw is our main firewall for email flow and internet flow and our pfsense firewall is only to use as a back door if our main firewall fails so we can still get in our network
I understand i could create virtual ips with other wan addresses for pfsense firewall
We have a downstream l3 switch as it can do routing for all the vlans so they can talk to eachother without it needing to touch or create rules on our tmg fw
Could i create a new vlan on the switch and make it have a ip gateway for that vlan to talk to the other vlans and then for that vlan create a static route so all the traffic on that range goes to my pfsense firwall, will that work?
-
I am all for failure backup.. So setup a HA pair for your firewall and connect your main connection and your failover connection to it.. If you primary circuit goes down then you could leverage your backup line for email and such. And can be used to access your network if need be, etc.
What your trying to do is not anywhere close to standards or best practice - for very good reasons!!! You can not just throw up a second connection into your network and expect stuff to work when they all point to a different gateway.
if all you want is to use this connection as out of band sort of access into your network. Then setup a route on your L3 switch that says traffic comes from this source IP or network then send to firewall 2. So where do you access this out of band access from? Another office, your home, etc. You need to put up routes to all the places you would ever use this 2nd address..
This is really a pretty bad way to accomplish the goal. If you goal is failover for connection and hardware failure of your firewall. Then setup firewalls in a HA pair (carp) and add whatever wan connections you have into your clustered firewalls.
example here is some basics on how to setup hardware failover with pfsense
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 -
I have created the pfsense firewall as i have created an openvpn server BUT the openvpn server can only access my lan subnet and not all the other ranges on my switch even tho i have created static routes on my pfsense fw and added the other ranges on my openvpn server
I think i need to look at the hp switch procurve documwntation to look at if traffic comes from nwtwork source a make it go out the same source not the default static route
-
I do this too. Have a remote site with fiber (Cisco router) and an ADSL into a pfSense for out-of-band access. For a couple hosts there we place static routes to all RFC1918 addresses back to pfSense (instead of the default gateway) so we can ssh directly to them over OpenVPN.
So if the fiber goes down we can ssh into something on the subnet and work FROM THERE.
IP routing just doesn't work like you want it to without an active routing protocol like OSPF on ALL INTERFACES on the subnet. And even that won't solve your asymmetric routing problem unless you use OSPF to swing the DEFAULT ROUTE from tmg to pfSense for the entire subnet - or at least the destination host in question.
You might also be able to do something with outbound NAT so, to other hosts on the subnet, connections would appear to come from the pfSense interface on the subnet making routing the return traffic out-of-scope.
Usually in an outage I'm just happy to be able to get in at all. Even if I have to chain a couple ssh sessions.
-
So create a host (linux or windows machine) on the same lan as the pfsense fw and give the host the pfsense gateway or the gateway of the vlan switch?
-
To accomplish what?
-
You said "for a couple of hosts" and i thought you meant you put couple of pcs on the same subnet as pfsense
What did you mean by hosts then
-
Tell your switch to route traffic from 172.16.8.100 to pfSense instead of the default gateway and it will work.
Put a host on the 10.10.20.0 subnet with pfSense as its default gateway and it will work.
But you will then have other issues like traffic from the subject host to other local assets.
-
Thanks all for everyones replies really appreciate it thank you
Rob
