>Internal firewall > 10.1.2.1/24 xl0 (connected to workstation) > 10.1.0.2/24 xl1 (connected to external firewall) > gateway is 10.1.0.1 > >External firewall > 10.1.0.1/16 re0 (connected to internal firewall) > 10.0.2.1/24 re1 (connected to server)
Your IP addresses on the firewall are messing up routing, the subnet between the 2 firewalls is overlapping the internal network connected to the internal firewall. I am assuming the use of a /16 is to allow routing to any 10.1.x.x network regardless of which router its attached to, this is very bad practice and will only lead to problems (like this one), I would recommend changing the addressing between the two FWs, and just adding routing entries into the routing table of the external FW. Also remove NAT from the internal FW as NATing between private addresses only causes problems, as you are seeing here. I know I what I am recommending is a monumental task, but it will need to be done eventually. -Christopher Ahrens
