Another gateway box question

[windependence]

Mods please move this if it's not in the right place.

I have a pfsense box set up in a client's office. The internal LAN is split into basically two networks, one has the 100.0.0.0/24 scheme and the other is 192.168.1.0/24. The pfsense box has an internal address of 100.0.0.111 which is what the old gateway was on the hardware router. The external address is one of several they have available from their ISP.

Their internal Windows workstations are all on the 100.0.0.0/24 network, but I have one box, their mail server, which is 192.168.1.20. Here is the problem. I can't see the mailserver on the network when I am logged in on the 100.0.0.0/24 network. I thought since the pfsense box is a router, it would route traffic between the two networks. Networking has never been my real strong point but I do understand the basics. The Windows admin says he didn't want the mailserver on the same network in case there was a virus outbreak. Is there another way to do it without using a different network? Any ideas would be greatly appreciated.

-Tim

[J65nko]

If you are on a 100.0.0.0/24 network, which is a public network, you usually will never be able to get to a 192.168.1.0/24 network, because 192.168.1.0/24 traffic will never be routed on a public internet.

Or do you mean they have a 10.0.0.0/24 network?

In that case you need to tell the pf.sense box that 10.0.0.111 is the gateway for the 192.168.1.0/24 network.

Code:

 route add -net 192.168.1.0/24 10.0.0.111

This is one part of the deal It will now route packets for 192.168.1.20 through 10.0.0.111.

The second part is to get the answer packets.
To reply you, the mailserver needs to know that it should route 10.0.0.0/24 packets through 10.0.0.111.

But doesn't defeat all this the separation of the mailserver from the 10.0.0.0 net into it's own network?

J65nko - who has never use pfsense

[windependence]

Well, unfortunately I didn't set this one up and they are using the public IP range 100.0.0.0/24 for their internal LAN. Yeah, I don't know why either, but I guess it's certainly possible. At any rate, I'm thinking unless I use two pfsense boxes (which would be easy because they are on VMware ESXi) there would be no way to really separate the networks. Do you think using two routers would be better?

So, what you are saying is if I add the static route you mentioned, then the two networks should be able to talk to each other? I see you point though, it would kinda defeat the reason for doing it that way. What about two separate gateways? Is there a way to do that?

The reason I am using pfsense BTW is because I am working with a Windoze admin that can't get the command line, Lord knows I tried. I do like the traffic graphing and stuff although I know I could set up MRTG for that.

Thanks so much for the help. We have a huge demand for these gateway boxes right now and I want to stick with *BSD instead of something like untangle for the simplicity, and I like BSD way more than Linux. :-)

-Tim

[J65nko]

With the little information I have now, I would have to guess too much

Could you post a simple network diagram showing how the pfsense box and the two networks 100.x.x.x and 192.168.x.x are physically connected?