pfSense in transparent mode with two NICs but still reach web interface?
-
Hi there,
I am currently trying to setup pfSense in transparent mode to separate a part of our LAN off to the side and filter traffic to that part.
The setup is the following:
- the LAN has IP range 10.0.1.0/24
- devices connected to any wall socket get an IP in the range 10.0.1.51 - 10.0.1.99 from our DHCP server
- a freshly installed pfSense is running on a Mac Pro with 2x1Gb NICs
- NIC1 is connected via cable to the wall socket
- NIC2 is connected via cable to the uplink port of a 5-port unmanaged switch
- all hosts that are to be separated will be connected to the other 4 ports of the switch
- currently this includes only one NAS and my laptop for testing
- after fresh installation (or factory reset) pfSense will get IP 10.0.1.94 automatically via DHCP on NIC1 (as WAN) and configure NIC2 with IP 192.168.1.1 (as LAN)
- connecting the NAS and laptop at this point will assign the laptop IP 192.168.1.100 and the NAS 192.168.1.101
- at this point, I can reach the pfSense web interface from my laptop in the browser at IP 192.168.1.1 but not at IP 10.0.1.94 from another wall socket
I think so far that is the intended default behaviour: web interface only reachable from the LAN NIC but not the WAN NIC.
Now I try to setup transparent mode according to this guide: https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79
Everything works fine until I come to the part where I set the LAN interface to have no IP. The moment I click "apply changes" on the changes to the LAN interface, I (obviously) lose connection to the web interface, as my laptop (on which the web interface is open) is on the switch behind the LAN NIC.
Now, following the guide I have configured the BRIDGE to have an IP in our LAN range, in my case, I set 10.0.1.220 which is not used elsewhere in our LAN. However, the web interface is not reachable at this IP after I have set LAN and WAN NIC to have no IP, even though the BRIDGE shows to have 10.0.1.220 both in the web interface and in the console on the physical machine. I CAN connect to the web interface at 10.0.1.220 BEFORE I remove the IPs from WAN and LAN but from the moment I remove IP from the LAN the web interface is no longer reachable, neither on 192.168.1.1 nor on 10.0.1.220 nor on the old IP of 10.0.1.94, from neither side of the machine (not on the switch behind the FW and not on a wall socket in front of it)....
From the console interface on the physical box, I can ping some servers in our LAN but not everything. The console interface (and "ifconfig" on the shell) both show the BRIDGE to still have 10.0.1.220 but the web interface is no longer reachable from anywhere. Obviously, since I can't reach the web interface, I cannot continue from this point with the steps in the guide to set any firewall rules. Any devices connected to the switch behind the FW will get an IP of 169.x.x.x, so they're basically unable to reach any DHCP (the one on the pfsense was turned off during the guide and out LAN's DHCP is not reachable, I think because there are no FW rules, yet).
Any idea why the web interface cannot be reached on the assigned IP of the BRIDGE or if this setup is even possible without a third NIC that is just used for the web interface and will not be assigned to the BRIDGE?
Thanks in advance for any help!
-
Amazingly, I now tried the following and it works:
I do everything in the guide (https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79) up to the point where I am supposed to set the LAN interface to have no IP.
I do NOT set the LAN interface to have no IP but rather do everything described after that point.
Then, at the very end, I set the LAN interface to have no IP.
Not sure why the guide does it in the wrong order? Maybe they have > 2 NICs and can reach the web interface on the third one?? I don't know but it kinda makes sense that the web interface would not be reachable from the WAN side if there are no firewall rules configured, yet, to allow that? Of course the web interface won't be reachable with only two NICs of which one doesn't provide DHCP service (the LAN NIC) and the other is likely blocked by default to allow the web interface (the WAN NIC)....