Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface
-
Hi,
I’ve used Pfsense in the past as my router/firewall, but since I’m not super technical, and my Netgate appliance device “died” (board fried), I switched to “firewall gold” as my router/firewall, and discovered some serious security issues with it. I’ve connected this device to multiple access points, each configured as a separate subnet on my main router/firewall, where traffic from the main router is trunked, and then split to the appropriate AP, via 802.1 switch, which exposes each APs subnet and Vlan through the access ports I configured.
When I would like to do is have Pfsense Programmer the traffic on each of the vlan interfaces/Subnetworks With separate filtering rules for each of the subnetworks/VLANs/access points.
What confuses me about it, is the fact that I’m not “merging “those bridges into a single WAN like interface, As would Have to be the case if they were non-transparent (Multi wan/2 at most), But planning to use it as separate transparent filters for each interface without merging, As I need to apply different filtering rules for every interface. I really hope this is clear apologise if I am not expressing this correctly.
I plan to implement of Pfsense This time on a dedicated Windows, machine with virtual box, or some other virtualised platform installed, Which has two physical NICs. If it’s possible to send the trunk bored and have Pfsense Programmer at the vlan tags in split up the traffic So we can “see “it as separate subnets, And send it out as trunk, or whether I need to use switches to separate out the traffic for pfsenwe is not an issue. I just don’t know how to deploy multiple Transparent Interfaces that it serves as a bridges above an existing networks and do not merge into a single wan like interface.
So the layout is something like this [isp modem]-[multi vlan edge firewall with 5 subnets]- [to be added-pfsense as 5 transparent bridges filtering between clients and layer 3 subnets Each with its own separate rules]- [switch via trunk port]-[5 /24 networks through access ports]… 5 wireless APS for different groups of clients (work,kids,guest,IoT).
My question is, if it’s possible to have a multi interface transparent Bridge that does not link to the same gateway upstream, as With the case of multiple lan interfaces link to WAN, And how to implement it.
I hope I didn’t make it more confusing than it is, and think anyone taking a crack at it in advance
-
@yfreiberger why do you think you need a transparent bridge?
What exactly are you bridging between.
If you create a vlan, and put devices on this vlan - where does the transparent bridge come in? Your firewall would be between your different vlans. And yes you can firewall between vlan X and vlan Y, etc.
A transparent bridge firewall is when you have devices on the same network/vlan you you want to filter traffic between devices on one side of the bridge and devices on the other side of the bridge.
-
Thanks for the swift response, I’m not sure I follow everything, but I think I need to clarify some things. See below:
@johnpoz said in Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface:
@yfreiberger why do you think you need a transparent bridge?
What exactly are you bridging between.
Me: To answer your two questions: I don’t want to replace my existing router, which act as a pretty good “perimeter firewall” in the sense that it effectively blocks traffic originating from the internet. However in terms of traffic originating from my sub networks, there’s room for improvement which is where I want a PFsense to come in. Since I don’t want to change the existing net work infrastructure, sub networks and addresses etc., but I need an additional “gate keeper “between the access points and the firewall/router that managed the sub networks and their client IP addresses (for simplification through a trunked port that is then split out to access boards and wireless access
Points). That “gatekeeper “needs to filter out traffic that devices on my system initiate before it even have my router/Firewall which needs reinforcement on the “lan” filtering. Since there are several such subnetworks, and I don’t want to create a duplicate /24 subnet on each of them, just perform transparent filtering, I need those multiple transparent interfaces to do this.When I use the term bridge, I don’t mean to bridge between the vlans, they are separate and should remain so (for example I don’t want to between guest, work, iot, kids networks), just perform filtering in each of these networks transparently, each according to its own policies. I want PFsense to know which device and subnetwork traffic is coming from so it knows which rules to apply, and that is what I meant by multiple transparent bridges -perhaps I’m using the wrong term, but its analogous to putting a transparent bridge between your ISP modem in router to filter out traffic without creating a new network, except here I want to do it between the router and access points and on all of my access point to firewall subnets, without performing any routing or bridging between those networks just layer 2 filtering and perhaps monitoring on each one of those existing subnetworks.
If you create a vlan, and put devices on this vlan - where does the transparent bridge come in? Your firewall would be between your different vlans. And yes you can firewall between vlan X and vlan Y, etc.
You are right that if I’m creating a vlan pfsense there’s nothing transparent about it if I understand correctly, but as I mentioned, those VLANs already exist, I just want to “ quietly monitor” them and remove traffic that should not get from the access point to the firewall/router whose work I am monitoring, but what I can’t get my head wrapped around is- how do I multiple bridges that do not link to each other (as in all the lan interfaces converge in WAN and transparent bridge is usually one interface or one that merges between the traffic of multiple
Vlans like you mentioned.A transparent bridge firewall is when you have devices on the same network/vlan you you want to filter traffic between devices on one side of the bridge and devices on the other side of the bridge
Me: exactly I want to filter traffic on each of the existing vlan interfaces independently
I tried to sketch something, that shows where I want to “listenin in” either through the trunk or the acess ports and filter each one individually according to its own rules without changing the network
I hope I am using this a little bit more apologize for my shortcomings on the technical side and thanks a lot
https://www.dropbox.com/s/dwqu4qqrrl9ncs3/IMG_2842.HEIC?dl=0
-
@yfreiberger said in Configuring PFsense as transparent firewall over multiple interfaces between access points and vlan edge router subnets, With different filtering rules for each Existing interface:
in the sense that it effectively blocks traffic originating from the internet.
That is really any home, even a 20$ wifi router would do that..
if your current device does not have the ability to filter between vlans the way you want, then replace it with pfsense. Putting in a in between your edge router and your devices is way more complex then just using pfsense as your router that is for sure.
But you can can create multiple bridges on pfsense, one for each vlan on your network.
Most smart or managed switches, other then the cheap entry level ones would allow for ACLs to filter traffic on vlans/ports as well. There would be no need for pfsense.. I filter traffic at my switch, mostly just for broadcast and multicast - but depending on your switch you could do your "filtering" there.
But the simple solution is just use pfsense as your router..
