I have a hub and spoke setup, a CCR1072 resides at HQ with 5 L2 P2P fiber connections to each branch office running CCR1036’s. I have a PFSense firewall cluster in front of the 1072 that is connected to our ISP. I am running web filtering on the Firewalls and the problem I am having is to get communications between subnets working, I’m using a NAT masquerade rule. When I do this, web requests are sent from the 1072, not the original host. This makes grouping target ACL’s for the web filter useless as every request originates from the 1072’s ip address. Is there another way to pass the traffic without having to use masquerade? I’ve tried shutting down masquerade, but then things like ICMP stop working between subnets, including outbound traffic to the firewalls (ie I lose internet on devices on the subnet). I’ve included my net diagram to show how the network is layed out.
Thanks
In layer 3, each node must have a route to every other IP address in the network.
I’m assuming that the PFSense cluster is a layer3 firewall and not acting as a transparent L2 firewall. I’m also assuming that the public IP addresses for your company are on the WAN interfaces of the NG0x nodes (where 10.10.1.1/29 is shown in the diagram). Your goal should be to have ZERO nat internally. Final assumption: the PFSense cluster presents a single virtual IP address to the CCR as a default GW IP address, and the active node responds on this address, which will transparently move to the other node if primary node fails.
Okay, so the cluster needs to have static routes towards the HQR1 for all of your internal IP addressing. The easiest thing to do would be to simply route 10.0.0.0/8 via 10.10.1.5
Then in HQR1, you should blackhole the master 10.0.0.0/8 prefix (/ip route add dst=10.0.0.0/8 type=blackhole) so that packets to unused 10.x.x.x addresses do not ping-pong back and forth between the HQR1 and the firewall.
Next, you will create static routes for each branch office’s IP range(s) - so if DCR1 has 10.1.0.0/24 behind it, then you would route dst=10.1.0.0/24 gateway=10.10.3.2
Do this for all sites (make sure that all sites have unique addressing schemes within your organization)
The branch routers only need to have default GWs set.
Disable NAT everywhere except in the firewalls.