Configure static route

Started by amd.64, January 26, 2025, 01:44:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 26, 2025, 01:44:06 PM
I am looking for some assistance adding a route.

From the image below I need to create a route preferably only from 10.78.239.106 to 192.168.107.10. If I understand correctly I need to create another gateway. If so, do I use 10.78.239.1 or 10.78.239.2?

I'd appreciate if somebody could add some clarity or provide a good link that does a good job of describing the process.

Thank You
January 26, 2025, 02:16:21 PM #1
If "OPNSense" (10.78.239.1) is the default gateway for "Debian12 Spam Server", and you're trying to make it able to reach "Exchange 2019" via "OPNWRT", you could create a gateway called "OPNWRT" with address 10.78.239.2 and then create a static route for 192.168.107.10/32 pointing to that gateway, but you're going to have an asymmetric routing scenario, because return packets from "Exchange 2019" to 10.78.239.106 would be routed directly by OPNWRT, and would not pass through OPNSense, which would cause OPNsense (by default) to consider the sessions invalid after not seeing any return packets for some timeout (30 or 60 seconds - I forget). If "Spam Server" is the only host that needs (/you want) to be able to reach "Exchange 2019", it might be better to add the static route on it (the Debian host) instead. OPNsense wouldn't see (nor be able to restrict) the traffic in that case - that may or may not be an issue for you. Alternatively, maybe you could use firewall rules with "sloppy" state tracking to get around the issue of OPNsense only seeing packets going in one direction.
January 26, 2025, 04:23:04 PM #2
Yes, basically I'd have what you described. 10.78.239.106 is my spam server which will forward any "clean" / "legit" email to the exchange server. I do have a web server and an RMM server also in the DMZ, but the spam server will be the only one to send unsolicited or unrequested traffic to the 192.168.107.0 network.

Thanks you for the advice, I have never had to set up a static route on any firewall or OS
January 27, 2025, 06:04:58 AM #3
The way I got it working my not be ideal but I didn't have to beat my head against a brick wall to get it to work.

I first posted on the OpenWRT forums, was told I need to create a route on OPNSense.
I then post here and was told it would be better to create the route on the Debian (spam) server
I posted on the Debian forums and was told I should redo part of my network.

It appeared that it was not going to be fun nor easy to get OPNSense, OpenWRT and Debian to all play nice. So I modified what I already had. I already had a cable connected to the 10.78.239.0 network and one connected to the 192.168.107.0 network, although 192.168.107.0 was DHCP -- not ideal but was meant to be temporary. I changed it to a static IP with no assigned gateway. I then created firewall rules on the Debian server to allow SMTP traffic then block everything else.
January 27, 2025, 12:53:51 PM #4
I think the issue is that how does the MSX get to the internet. If your WRT default is to OPNsense then static route on spam server pointing to the WRT. The route back should be ok.
January 27, 2025, 01:19:43 PM #5
Quote from: lilsense on January 27, 2025, 12:53:51 PMI think the issue is that how does the MSX get to the internet. If your WRT default is to OPNsense then static route on spam server pointing to the WRT. The route back should be ok.

The default gateway is irrelevant (I believe), because OPNWRT's WAN interface is on the same subnet as the SPAM server (10.78.239.0/24).... unless OPNWRT is smart enough to track sessions and send the return packets back through the gateway even though it has a direct route.
January 27, 2025, 02:38:59 PM #6
If so, then the static route is not the issue. the issue would be the firewall rulesets.
Print
Go Up Pages1
User actions