Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» CARP/VIPs» cant split my 8 IP subnet between WAN and DMZ, routing problem
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: cant split my 8 IP subnet between WAN and DMZ, routing problem  (Read 3457 times)
0 Members and 1 Guest are viewing this topic.
dzezik
Newbie
*
Offline Offline

Posts: 2


View Profile
« on: March 24, 2008, 09:44:41 am »
my ISP gives me 8 IP subnet
lets x.y.z.192/29
i used hardware firewall before and now plan to switch to pfsense
i am testing configuration on vmWare
here is my configuration
x.y.z.192 is my net
x.y.z.193 is my dsl modem and my gateway
x.y.z.194 will be main pfsense IP (WAN)
i would like to have 195,196,197,198 IPs on DMZ
it should be easy with bridging, but this configuration lacks traffic shapping
so i decided  to use proxy ARP too split my 8ip network into two segments:
here is how i am doing this (it worked fine on my old hardware router firewall)
1. interfaces
    WAN: IP:x.y.z.194/32 gateway:x.y.z.193
    DMZ: IP x.y.z.194/29
2. Virtual IPs (proxy ARP):
    WAN: x.y.z.193/32
    DMZ: x.y.z.192/29
3. routing (most important)
   i need this routes to work
   x.y.z.193/32 WAN
   x.y.z.194/32 WAN
   x.y.z.192/29 DMZ
   0.0.0.0/0 x.y.z.193 WAN

routing is problem on pfSense because U do not control it yourself, pfsense generate routes behind
so I can add static routes but it needs IP gateway, and this is not the route type i need
pfSense generates routes like this:
x.y.z.193/32 DMZ - it is wrong it should be WAN
x.y.z.194/32 lo - it means only loopback - wrong route - should be WAN
x.y.z.192/29 DMZ O.K.
default gateway DMZ - i can not understand why but pfsense makes default route on DMZ, it should on WAN

there is information on system log:
kernel: arpresolve: can't allocate route for x.y.z.194
kernel: arplookup x.y.z.194 failed: host is not on local network


maybe i should change this routes directly in os
but i am afraid it can be altered by pfsense later without any information

and I am a little confused with BSD configuration

it would be nice to let change routes with webGui

Grzegorz Zal
Logged
hoba
Administrator
Hero Member
*****
Offline Offline

Posts: 5844


What was the problem to this solution again?


View Profile WWW
« Reply #1 on: March 24, 2008, 12:02:48 pm »
You can't have this kind of config as it has too many conflicts.  What you want to do instead is have the complete subnet at wan and create Virtual IPs for all the additional IPs. Then use portforwards or 1:1 NAT to map the additional IPs tot he DMZ machines. DMZ will have a provate IP subnetrange.
Logged
dzezik
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #2 on: March 24, 2008, 05:47:30 pm »
thanks for advice, I will try this, but this is not as elegenat, i want my 4 hosts on DMZ to have public adresses configured. i treat NAT 1:1 as more complicated than my desired configuration.
My configuration is more elegant and simpler but unfortunatelly pfSense has problems with advanced routing (there is no routing option at all), it is rather advanced firewall and very simple router.
I wonder (will testing) if DMZ and WAN can use the same addreses and be NATed 1:1
i mean x.y.z 195 on DMZ nated to virtual IP x.yz.195 on WAN
this will be very sophisticated and complicated but it will look like my desired configuration for hosts in DMZ.

pfSense lack routing. You have no control on routing in pfSense but You can change routing in shell.
I tried to do my routing. IT support it, You can make any of routes I described using route command, even can control proxy ARP.
but one i cannot override:

this freeBSD do not accept default route gateway x.y.z.193 on WAN (le0)
when I insert route giving -interface le0 it shows "route: bad address: le0"
when I ommit interface i got strange route
0&0xc0a800002 link#3 UCS 0 0 le2
this route is wrong because use wrong interface and is difficult to alter or delete
but when I leave original default an only make change to it
route -d change 0.0.0.0. interface le0
i get
default            00:0c:29:8a:d1:f9  UGS         0        4    le0 (this is good, my gateway is on le0)
and it worked fine for few minutes (this is mac for le0 WAN interface) and then it hangs and i did not get the same result after restart
even using the same command

it looks like my configuration Is perfectly coorect buy freeBSD do not gives You full control on routing

the main problem is that my gateway is on WAN but its addres is covered by DMZ subnet
so setting this gateway as default implicit make default route on DMZ
using explicit WAN interface is not accepted by freeBSD
i think it is kind of BUG
i public this gateway using proxy ARP on WAN, so it should accept it !!!

but when i force freeBSD for correct route table i wonder what will the firewall do

Im not good in network configurationin BSD/linux
but maybe should make sophisticaed /etc/rc.conf to make  routes permanent
and avoid changes made by pfsense

and wait for 1.3 release
maybe they will fix problem with traffic shaper in bridge mode (does not work in 1.2)
so then i will just bridge WAN and DMZ
it is simplest way to get my configuration
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.025 seconds with 19 queries.