pfSense routing between two routers with shared network

Posted by JohnCC on Server Fault See other posts from Server Fault or by JohnCC
Published on 2012-09-06T08:16:17Z Indexed on 2012/09/06 9:40 UTC
Read the original article Hit count: 217

Filed under:
|
|
|
|

I have a network set-up using two pfSense routers arranged like this:-

DMZ1  WAN1          WAN2  DMZ2
 |     |             |     |
 |     |             |     |
 \___ PF1           PF2___/
       |             |
       |             |
       \___TRUSTED___/ 

Each pfSense router has its own separate WAN connection, and a separate DMZ network attached to it. They share a common TRUSTED LAN between them.

The machines on the trusted network have PF1 as their default gateway. PF1 has a static route defined to DMZ2 via PF2, and PF2 has a static route to DMZ1 via PF1. There is NAT to the WAN but internal networks (DMZ1/2 and TRUSTED) use different RFC1918 subnets.

I inherited this arrangement, and all used to work fine. I made a config change to PF1 (relating to multicast), and machines on DMZ2 suddenly could not talk to TRUSTED. I rolled the change back, but the problem persisted.

What I guess you'd hope would happen is that TCP packets would go DMZ2 -> PF2 -> TRUSTED and on return TRUSTED -> PF1 -> PF2 -> DMZ2. That's the only way I can see it would have worked. However, PF1 drops the returning packets. I've verified this using tcpdump.

I've worked around this by adding static routes to DMZ2 via PF2 to the servers on TRUSTED, but some devices on there do not support static routes so this is not ideal. Is there way to make this arrangement work decently, or is the design inherently flawed?

Thanks!

© Server Fault or respective owner

Related posts about networking

Related posts about ip