Unable to access Transparent Bridge (WAN/LAN) from LAN
-
Yes, the bridge or one of the interfaces needs to have an IP to be accessible. That IP needs to be in the UDM WAN subnet (192.168.100.0/24) if pfSense is going to use it to check for updates etc.
It doesn't have to be though as long as the UDM router knows how to reach it.Steve
-
@viragomann said in Unable to access Transparent Bridge (WAN/LAN) from LAN:
But if it is needed depends on the tunables settings.
Thanks. Adding a /24 allowed me to add 192.168.100.1 as the default gateway. However, when I did this the internet no longer worked.
-
@swears123
Are you really sure that you've disable NAT in Firewall > NAT > Outbound? -
@viragomann Correct. Outbound NAT is disabled:
Disable Outbound NAT rule generation.
(No Outbound NAT rules) -
@swears123
I assume you're talking about the internet access on devices in the 10.50.10.xxx network?I cannot think of any reason, why the default gateway on pfSense should have any impact if you have disabled NAT.
What do you get exactly?
Can you still access the modem?Are the routes and the DNS settings correct on the device?
-
Yes, that is correct. Devices on 10.50.10.xxx lose internet when I add the default gateway of 192.168.100.1 in pfsense. As soon as I delete the default gateway, internet returns.
I still have access to the Unifi Console as well as the upstream Cable Modem when the default gateway is added, however, I still cannot access pfsense from the 10.50.10.xxx network.
I haven't made any changes to routes/dns settings so I assume those are okay.
-
@swears123
Does this also happen if you remove the gateway from the interface settings, but add a gateway in System > Gateways and set it as default then? -
@viragomann Yes, it does.
-
@swears123
The gateway is only for pfSense itself. However, without it you should be able to access pfSense from behind the UDM at least. Does this work? -
@viragomann No access to pfsense from behind udm (10.50.10.xxx) network with or without default gateway.
I'm using the IP address 192.168.100.2 for the pfsense bridge interface.
-
What's the UDM WAN IP?
-
@stephenw10 That would be my external ISP IP address (which I don't want to show on here ;) )
I tried setting that as the Gateway in PFSense but I got an error.
-
@swears123 said in Unable to access Transparent Bridge (WAN/LAN) from LAN:
That would be my external ISP IP address (which I don't want to show on here ;) )
No need to post it here, but this is something what should have been mentioned before.
So the UDM does PPPoE or something alike?It needs to have an IP the modems LAN / pfSense network to get access, maybe es an alias and it need to do masquerading to this IP on traffic which is destined to pfSense.
-
@viragomann Fair enough.
WAN on the Unifi set to DHCP and it pulls the external IP (not the modem, I assume by design). I suppose I can try to set a static IP on the Unifi WAN to the modem's IP. Does that make sense?
I don't know anything about masquerading/Alias'.
-
Yes, if the UDM has a PPPoE WAN then the default gateway on pfSense should be an IP on the UDM in the modem subnet. Or no gateway.
Why are you adding pfSense here though? It doesn't appear to be doing anything useful.
-
@swears123
You need an additional IP on WAN aside the DHCP.This is called IP alias in pfSense.An upstream router commonly have masquerading enabled. That means, it translates source IP in upstream packets into its WAN IP.
So since the UDM has a public IP, I expect it does this as well. However, for accessing pfSense you need to translate it to the second WAN IP in 192.168.100.0/24.
If this is not possible you can add a static route for the 10.50.10.0/24 to pfSense and point it the the UDM and hope that it works. -
@stephenw10 Thanks.
I'm looking to offload the firewall/security to the pfsense as the Unifi Dream Router has a very weak CPU and can't seem to handle high throughput with IDS/IPS enabled.
The Unifi uses DHCP on the WAN side to pull the IP (but only shows the external IP, not cable modem IP)
-
@viragomann I added a static route in pfsense to point to 10.50.10.0/24. Is this what you recommended?
-
@swears123
You need to add the UDM IP (this one in 192.168.100.0/24) as gateway first, then add the route for the 10.50.10.0/24 network and point to the UDM gateway. -
So I am having a very similar issue trying to change my 6100 MAX to become a transparent firewall between my AT&T Fiber Gateway and my UDM-SE. This forum post is very close to what I’m trying to do, but it doesn’t seem to work for me nor did the OP respond if he/she ever got it working. I’ve also watched Tom Lawrence’s YouTube videos on this, but in his example he’s not including his WAN interface - only two LAN interfaces.
Note that I have been using my 6100 MAX in front of my UDM-SE in a dual-NAT scenario primarily for much better control over DNS filtering (pfBlocker) and Snort (IPS: WAN, IDS: LAN). This has worked flawlessly for almost a year with no issues (although doing port forwards can be kind of tricky), and no problems up to this point. For the sake of masking my real public IPs, please just assume that 99.99.99.99/29 is my public IP block (AT&T actually provides a /32 and a /29 for a total of 6 usable public IPs).
—————————————————————————
Current Deployment and Configuration
[Internet] ----- [AT&T Gateway] ----- [pfSense] ----- [UDM-SE]
AT&T Gateway (99.99.99.99/29) WAN "IP passover" mode to pfSense (essentially just a modem and gateway)
AT&T Gateway (192.168.0.1/24) - LAN
pfSense (99.99.99.99/29) - WAN (via DHCP for primary /32 WAN IP plus additional /29 block configured as virtual IPs)
pfSense (10.0.0.1/24) - LAN
UDM-SE (10.0.0.2) - WAN IP via DHCP from pfSense
UDM-SE (10.0.1.1) - MGMT IPAgain, no problems whatsoever up to this point. I can get to all 3 management interfaces (AT&T/pfSense/UDM-SE) from my UniFi LAN without issue.
—————————————————————————
What I want to do is change my 6100 MAX to become a transparent firewall instead so I can get rid of dual-NAT scenario and manage my 6 public IPs on the UDM-SE instead.
Within pfSense, I have tried disabling NAT, creating a new bridge with both LAN/WAN (this also includes changing both System Tunables to member=0 and bridge=1 and setting the LAN and WAN interfaces to no IP address) and assigned it a management IP on the AT&T Gateway LAN. No dice getting to pfSense or AT&T gateway's web interfaces. No Internet connectivity at all. If I set both System Tunables to 0, everything works (minus any filtering of course). Once I turn the bridge tunable back to 1, I keep seeing default denies in the firewall log. I don't understand why because I temporarily have all interfaces firewall rules wide open for IPv4.
Proposed Deployment and Configuration:[Internet] ----- [AT&T Gateway] ----- [pfSense] ----- [UDM-SE]
AT&T Gateway (99.99.99.99/29) WAN "IP passover" mode to UDM-SE (essentially just a modem and gateway)
AT&T Gateway (192.168.0.1/24) - LAN
pfSense with LAN/WAN configured as a bridge interface
UDM-SE WAN: (static /32 plus 99.99.99.99/29 as additional IPs)
UDM-SE LAN (10.0.1.1) - MGMT IPI have scoured through so many forum posts and other websites for about 2 days trying to get this to work, but I keep having to revert back to my current setup (thank goodness for pfSense Plus boot environments). I should not have to configure any static routes since a transparent firewall should work without changing anything on the AT&T Gateway or UDM-SE. The proposed scenario obviously works perfectly fine without the pfSense in the mix. So what is the proper way to do this? No matter what I try, I can’t seem to get this to work. Thanks.
