0

In a lab environment I have 4 VLANs:

  • VLAN10 -> Management (192.168.10.0/24)
  • VLAN20 -> Service (192.168.20.0/24)
  • VLAN30 -> Administration (192.168.30.0/24)
  • VLAN50 -> Public (192.168.50.0/24)

Routing and firewalling between these networks is controlled by pfSense 2.1

Servers are set up with a eth0 (with default route) for Service and eth1 for Management, admin machines are set up eith eth0 on Administration, and all other machines get an eth0 on Public.

The idea is to have Management restricted to services such as SSH, SaltStack, and monitoring, Service for whatever the machine is used for (SMB, HTTP, etc...), and for the firewall to only allow Administration machines to access the Management services, while Public machine can access the Service services. For this, each server has the routes:

default via 192.168.20.1 eth 0
192.168.30.0/24 via 192.168.10.1 dev eth1

My problem is when a machine on the Management network accesses a service on the Service network, the response packet is sent via the static route. Is there a way to specify proper routing for this traffic?

I was thinking an SNAT on the pfSense router might work, with SRC->DST 192.168.30.0/24 -> 192.168.30.0/24 would NAT the SRC to 192.168.11.0/24, so the route on the servers could actually be 192.168.11.0/24 via 192.168.10.1 dev eth1, but this of course obfuscates the actual source.

Would this work, and more importantly, is there a better way of doing this?

Tim Jones
  • 93
  • 1
  • 2
  • 7
  • You do not control access to your management network with routing. That is what firewalls are for. Post the output of the route table on one of the management hosts. A diagram would help too. Multi-homing hosts always ends in a mess; I would reconsider if you really have to multi-home these hosts. – fukawi2 Mar 25 '15 at 05:53

1 Answers1

0

So you want to control the traffic on a per-service basis, is that correct?

Do you have the services configured to only listen on the Service IP? I would think that would resolve the issue. IE, the management workstation attempts to access port 80 on the service network IP of the server. Since that service is only available on that IP/interface, the connection is set up between those two IP addresses.

I think that would satisfy the goal you're trying to attain. Please let us know.

petemcdonnell
  • 16
  • 2
  • The services are indeed set up to only listen to one interface, but since the server itself has a static route for the Administration network, the reply packet is sent with a source of the Management interface, so the Administration connection ignores the reply (sends request to 192.168.20.100:80, receives reply from 192.168.10.100:xxxx). – Tim Jones Mar 24 '15 at 16:32