Set static route but cant port forward



  • hi all,

    i have set up a static route to another subnet on another network but when i port forward HTTP traffic to my apache website i cant view it on the web browser, i can ping it using pfsense ping command so im guessing if i can do that i have set both static routes up correctly, ie for my pfsense machine and vlan switch which is where my apache server is on

    many thanks

    rob



  • Does your firewall allow that traffic to pass between subnets?



  • Yes i have created a LAN rule to allow any traffic to talk to eachother



  • Can you post screen shots of the firewall rules and static route configs?



  • here you go

    my pfsense firewall lan ip is 10.10.20.254

    staticroutes.zip



  • may the reason be that this is my second firewall (it has got another WAN address) and that all my other computers/devices have got there respective vlan ip gateways (on the switch) and those gateways all route to my main firewall via a static route and visa versa from my main firewall to the switch

    my static route works btw as i did a test, i disabled the static route on my pc (which is not on the LAN of my pfsense using one of the vlan gateway ip addresses) and i lost connection, the only way i could enable it was to go on a pc on the LAN of the pfsense and re-enable it again


  • Rebel Alliance Global Moderator

    What??  Sounds like you have a mess and asymmetric routing

    "all my other computers/devices have got there respective vlan ip gateways (on the switch) and those gateways all route to my main firewall via a static route and visa versa from my main firewall to the switch"

    So your switch is doing layer 3 routing as well?

    If you have clients that use firewall 1 as their gateway, and you forward in traffic on firewall 2.. PC would send answer to firewall 1.

    A drawing of your network would be most helpful!



  • heres a pic of what i mean

    basically my pc can go on the webpage of pfsense so the static route is working (as the two are on different ranges, when i disable the static route i lose connection to the pfsense fw)

    but when i create an apache server on my pc and port forward to it and from a public pc i test it out but it doesnt work

    but if i change my pc vlan ip to the 10 range ie local range of the pfsense fw it works

    also do you think because on my vlan sw i have just created one static route to my tmg fw, do you think this is why its not working



  • Rebel Alliance Global Moderator

    Dude what part did not understand about asymmetric routing??

    So I am from 1.2.3.4 on the public internet.. And I want hit your web page on your pc.  I hit your public IP on pfsense.. Pfsense forwards it - red arrow… Now machine says oh I have to send answer to 1.2.3.4  where does it go?  Green Arrow towards you default 0.0.0.0 route of 172.16.24.254

    That is going to be Syn,ack not syn... Quite possible your firewall wouldn't even allow that?  And even if does -- now I would be natted to that firewalls public IP and 1.2.3.4 would say what the F why am I getting back syn,ack from 5.6.7.8 when I sent it to 9.10.11.12




  • So how can i resolve this,  shall i add a new static route to the vlan switch

    If i do add another static route to the vlan switch how can i make sure its not the default one as i want to us tmg static route as the main one


  • Rebel Alliance Global Moderator

    How do you solve it? You forward traffic into your network from the device the traffic uses as its outbound..

    Why do you need 2 firewalls like that?  Why not just 1 firewall with 2 wan connections?  If you going to try and fix it for routing then you need to know the source of the traffic 1.2.3.4 in my case and setup a route on your switch that says hey if going to 1.2.3.4 use 2nd firewall.

    But this is a problem for if you actually want to use firewall wan to go to 1.2.3.4 on your own something connection for something else not forwarded.

    I am curious why you even have a downstream L3 switch?  Why not just have all the segments connected to your firewall so that you can firewall between your segments?  Do you pump alot of data between segments and firewalling is not an issue.  Why would you not have setup a transit network?

    So you end up something like this




  • Basically tmg sw is our main firewall for email flow and internet flow and our pfsense firewall is only to use as a back door if our main firewall fails so we can still get in our network

    I understand i could create virtual ips with other wan addresses for pfsense firewall

    We have a downstream l3 switch as it can do routing for all the vlans so they can talk to eachother without it needing to touch or create rules on our tmg fw

    Could i create a new vlan on the switch and make it have a ip gateway for that vlan to talk to the other vlans and then for that vlan create a static route so all the traffic on that range goes to my pfsense firwall,  will that work?


  • Rebel Alliance Global Moderator

    I am all for failure backup.. So setup a HA pair for your firewall and connect your main connection and your failover connection to it.. If you primary circuit goes down then you could leverage your backup line for email and such.  And can be used to access your network if need be, etc.

    What your trying to do is not anywhere close to standards or best practice - for very good reasons!!!  You can not just throw up a second connection into your network and expect stuff to work when they all point to a different gateway.

    if all you want is to use this connection as out of band sort of access into your network.  Then setup a route on your L3 switch that says traffic comes from this source IP or network then send to firewall 2.  So where do you access this out of band access from?  Another office, your home, etc.  You need to put up routes to all the places you would ever use this 2nd address..

    This is really a pretty bad way to accomplish the goal.  If you goal is failover for connection and hardware failure of your firewall.  Then setup firewalls in a HA pair (carp) and add whatever wan connections you have into your clustered firewalls.

    example here is some basics on how to setup hardware failover with pfsense
    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)



  • I have created the pfsense firewall as i have created an openvpn server BUT the openvpn server can only access my lan subnet and not all the other ranges on my switch even tho i have created static routes on my pfsense fw and added the other ranges on my openvpn server

    I think i need to look at the hp switch procurve documwntation to look at if traffic comes from nwtwork source a make it go out the same source not the default static route


  • Netgate

    I do this too. Have a remote site with fiber (Cisco router) and an ADSL into a pfSense for out-of-band access.  For a couple hosts there we place static routes to all RFC1918 addresses back to pfSense (instead of the default gateway) so we can ssh directly to them over OpenVPN.

    So if the fiber goes down we can ssh into something on the subnet and work FROM THERE.

    IP routing just doesn't work like you want it to without an active routing protocol like OSPF on ALL INTERFACES on the subnet.  And even that won't solve your asymmetric routing problem unless you use OSPF to swing the DEFAULT ROUTE from tmg to pfSense for the entire subnet - or at least the destination host in question.

    You might also be able to do something with outbound NAT so, to other hosts on the subnet, connections would appear to come from the pfSense interface on the subnet making routing the return traffic out-of-scope.

    Usually in an outage I'm just happy to be able to get in at all.  Even if I have to chain a couple ssh sessions.



  • So create a host (linux or windows machine)  on the same lan as the pfsense fw and give the host the pfsense gateway or the gateway of the vlan switch?


  • Netgate

    To accomplish what?



  • You said "for a couple of hosts"  and i thought you meant you put couple of pcs on the same subnet as pfsense

    What did you mean by hosts then


  • Netgate

    Tell your switch to route traffic from 172.16.8.100 to pfSense instead of the default gateway and it will work.

    Put a host on the 10.10.20.0 subnet with pfSense as its default gateway and it will work.

    But you will then have other issues like traffic from the subject host to other local assets.



  • Thanks all for everyones replies really appreciate it thank you

    Rob



  • As i have enabled openvpn server on my pfsense fw and i can remotley vpn in to it i can access the remote lan but obviously not the other networks as the static routes dont work

    I was wondering if i build a host on the same nwtwork ie a linux machine and make that machine use pfsense as the gateway and on the linux machine add static routes to the other network

    If i install openvpn server on that linux machine will it manage to access the other networks aswell or just its lan network


  • Netgate

    I can't tell squat from "same network" (same network as what) or "that linux machine."

    IP addresses, subnets, and routes.  That's all that we need to try to help you.  Specifics.

    What, exactly, are you trying to accomplish?

    OpenVPN is extremely flexible - especially with assigned interfaces, but it's still subject to IP routing rules.


  • Netgate

    Using this I can RDP/SSH etc into 172.26.45.100 from 192.168.223.100 and look at the entire network from behind the router if the Metro-E fails.




  • Same network i mean same network as the pfsense fw,  its local network

    And then on the linux machine i install openvpn server and it will be able to talk to the other networks,  as i will add the static routes to the other networks on the linux machine