pfSense Static Routes

pfSense Static Route

Output of “netstat -r” on one of my Linux nodes. Notice the default route (Genmask = 0.0.0.0) sends packets to the gateway (192.168.2.1).

In the previous article, I covered configuring a gateway, and in this article I will build on that by using the gateway in a pfSense static route. Static routing is a method of configuring path selection of routers in computer networks. It is the type of routing that takes place in the absence of communication between routers regarding the current topology of the network. This is accomplished by manually adding routes to the routing table. An entire network could be configured using static rules, but it would not be fault tolerant. When there is a change in the network or there is a failure between two static nodes, traffic will not be rerouted. There are, however, times when static routes can improve the performance of a network. Two such examples are:

  • Stub networks: A stub network is a network or part of an internetwork with no knowledge of other networks that will typically send all of its non-local traffic out via a single path, with the network only aware of a default route to non-local destinations. Examples include an enterprise LAN that connects to the corporate router via one router, or a single LAN which never carries packets between multiple routers.
  • Default routes: A default route is the rule that takes effect when no other route can be determined for an IP address. All packets for destinations not established are sent via the default route. In IPv4, the default route is designated as the zero-address (0.0.0.0); a route that does not match any other route falls back to this route. You can see the routing table under UNIX/Linux by typing “netstat -r” at the command line. You can see the routing table under Windows by typing “route print” at the command line.


While excessive reliance on static routing is generally not a good idea, it often proves useful and therefore it is advantageous to know how to configure a pfSense static route.

pfSense Static Route Configuration

pfSense Static Route

Adding a static route in pfSense 2.0.

In this example, I will use the gateway created in the previous article (DMZ_Gateway). For purposes of this example, assume the topology of the network does not provide a path to the DMZ. There is an FTP server on the DMZ that we want to access. First, navigate to System -> Routing. There are three tabs (“Gateways“, “Routes“, “Groups“); click on the “Routes” tab and click the “plus” button to add a new route. At “Destination“, type in the IP address of the destination network, which in our case is the DMZ network (assume it is 192.168.3.0). At the drop-down box, select the number of bits in the subnet mask (assume it is 24). At “Gateway“, choose the gateway we defined in the previous article, or whichever gateway is appropriate. At “Description“, you can enter a description of the route (e.g. “Static route to the DMZ). Press the “Save” button to save the changes, and at the next screen, press the “Apply changes” button if necessary.


By defining a pfSense static route, we have now hard-coded a path to the DMZ, and we can access it through this static route, and this gateway can now be used by other users of this firewall.

External Links:

pfSense Static Routes at doc.pfsense.org

pfSense Static Route Planner

pfSense Setup: Part Four (Setting up a DMZ)

DMZ

The optional interface configuration page in the pfSense web GUI (which is similar to the WAN and LAN config pages).

In the first three parts, I covered booting and installing pfSense, general configuration options in the pfSense web GUI, and configuring WAN and LAN interfaces (also with the web GUI). In this part, I cover using an optional interface to create a DMZ.

In networking, a DMZ (de-militarized zone) is a place where some traffic is allowed to pass and some traffic is not. The area is separate from the LAN and WAN. In simple terms, a DMZ looks like this in relation to the rest of the network:

Internet traffic | <- DMZ <- LAN

Unsafe Internet traffic is allowed to enter the DMZ, but not the LAN. To configure it, we will need an optional interface.

Configuring the DMZ

From the web GUI, browse to Interfaces -> OPT1. If “Enable Interfaces” isn’t checked, check it. Set “Description” to DMZ. Under “Type”, choose “Static” as the address configuration method. For “IP address”, enter an IP address and the subnet mask (the subnet should be different than the subnet for your LAN). For example, if your subnet for the LAN is 192.168.1.x, it could be 192.168.2.x for the optional interface.

For “Gateway”, leave this option set to “None”. The last two options are “Block private networks” and “Block bogon networks”. Ensure that these two options are unchecked; we don’t want the system to block access from the Internet to the DMZ. Finally save changes by pressing the “Save” button.


Now that the DMZ is configured, your DMZ will allow WAN access. Your DMZ will also allow access from the LAN, but it won’t be permitted to send traffic to the LAN. This will allow devices on the Internet to access DMZ resources without being able to access any of your LAN. This could be useful, for example, for setting up an e-mail or FTP server.

You could now attach a switch to your DMZ interface. This would enable you to connect multiple machines to the DMZ.

External Links:

Setting Up a DMZ in pfSense


The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Part Three (WAN and LAN settings)

Ad Links:


© 2013 David Zientara. All rights reserved. Privacy Policy