Routing between LAN on different subnets
We have internal webservers that must be only accessible from Internet using port-forwarding on pfSense1 via INTERNET A. As you can see on the image above, all computers on BUILDING-B that are behind 172.16.0.0/16 network can ping and connect to BUILDING-A computers with gateway pointing to 192.168.251.1/24 (pfSense0), but cannot connect to our INTERNAL WEBSERVERS which have gateway 192.168.250.1/24 (pfSense1). What I wanted is that the "BLDGB-WORKSATION-1 (172.16.1.1/16) can traverse and connect to our Internal Servers without changing its configurations and without utilizing the port-forwarding feature on pfSense1. Is it possible? Can you please provide information to do this?
I'm not sure to really understand what you mean with the various gateways and network. I'll need to read it again more than 3 time because so far, this is still unclear.
One point that may help: in order for devices to reach networks that are not behind their default gateway, you need to tell where to go, i.e. what is the gateway that will allow to reach this network.
e.g., if you want to reach 192.168.250.20 from 172.16.1.2, you have to tell 192.168.250.20 that gateway for this network is 192.168.251.1
Well…. this would have worked if this gateway was within the right subnet. Such 192.168.251.0/24 IP here is quite surprising. It is on purpose, typo or real mistake ?
either .250 or not /24 ::)
hummm, I don't understand how this network works :-[
its correct, you misread it, its 192.168.251.10/24 on the image.. :) thank you for your reply… i guess have to use the port-forwarding feature on pfSense1 from pfSense0 via WAN to connect to the internal webserver
Oh, reading it again and again, I realize now that you indeed mixed (for some reason still not clear to me) 192.168.250.0/24 and 192.168.251.0/24 on same physical network and switch.
I still don't understand where this port forwarding would occur but you have to deal with routes so that your server known where to go (192.168.251.1) in order to reach 172.16.0.0/16 (BTW, what a huge number of devices :o)
This can be done either adding route on each server you want to reach from 172.16.0.0/16 or adding route at 192.168.250.1 so that flow is redirected to 192.168.251.1.
Yeah, big indeed, have to deal with it since I am the new guy on an old network that uses /16 which will be corrected soon and running DHCP will be my target for easy management. Well, to answer your question, computers on Building A where used to be connected to 192.168.250.1 GW, but when the new INTERNET-B came in, they wanted Building A Computers should use INTERNET-B to lighten up the Internet bandwidth usage for the INTERNAL WEBSERVERS. Thats why I have mixed network on the same physical network when they installed a CAT6 backbone from BUILDING A to BUILDING B. To cut the story short, i have successfully done what i wanted. I just added a new gateway (192.168.250.1) on pfSense0 on the interface facing pfSense1 and statically add outbound NAT rule mapping using the new gateway i defined to each INTERNAL WEBSERVERS ip address. And it works like a charm.
your 2950 is only layer 2, it will not do L3 that I am aware of..
so you have 250 and 251/24 running on the same layer 2 or do you have this setup with vlans using pfsense to route these?
Why don't you just connect your buildings with a transit network between your pfsense and then you could just use policy based routing for any client in building A to use the internet in B, or you could have B use internet A if you wanted, etc..
Since you show a client on that 251 segment this is clearly not a transit network.
If you connected your building correctly, simple routing/firewall rules to allow whatever you want to use whatever wan connection in either location. You could have multiple networks in each location, etc.
Done correctly you would never have to change a clients gateway, done correctly you could even leverage the wan in each location for load balancing, nor would you have to do any natting between your rfc1918 address space, etc. etc.