VLAN to Bridge to WAN side

CrazyWolf13 · Mar 30, 2024, 10:23 AM

Hi

This probably fits better info the firewall, as when I disable the firewall it works.

I need a vm to have an ip of my main router and not pfsense.
My current network layout:
🔒 Log in to view

Now I need a VM running one one of the 4 servers inside the dmz to get an ip from isp router.
I heard this can be done with a bridge and a vlan, so I created a new VLAN, bridged it to WAN.
I have got it so far that the machine gets an ip, however it cannot ping anything except the pfsense, filter logs don't really show anything blocked from the vm ip.

🔒 Log in to view

WAN Rules:
🔒 Log in to view

VLAN Rules:
🔒 Log in to view

Config for vlan iface:
🔒 Log in to view

Thanks for any tips and help!

viragomann · Mar 30, 2024, 5:38 PM

@CrazyWolf-0 said in VLAN to Bridge to WAN side:

so I created a new VLAN, bridged it to WAN.

You bridged the VLAN to WAN? In this case, you should not state an IP on the interface. The device should get an IP from the main router.
You will have to allow DHCP protocol on the bridge.

I have got it so far that the machine gets an ip, however it cannot ping anything except the pfsense

Also not clear, what you want to access. I cannot find destination network 192.168.1.0/24 in the rule anywhere in your map.

CrazyWolf13 · Mar 30, 2024, 5:38 PM

@viragomann

Don't my rules allow dhcp already?

On which Interface would I need to set firewall rules?
On Bridge0 opt3 or vlan30 opt2 ?

My reqirements:
A VM running behind pfsense should get an IP from ISP Router which is on 192.168.1.1 in my Home Network, listed at the most top of my drawing.

Also it should have internet access and should be reachable from my pfsense LAN and my home net.

Part1 is already working, but I think I have some firewall rule issues, as I just cannot get that VM to have internet connection, only if I disable pfsense firewall, then it works, so it must be rules issue.

viragomann · Mar 30, 2024, 9:12 PM

@CrazyWolf-0 said in VLAN to Bridge to WAN side:

On which Interface would I need to set firewall rules?
On Bridge0 opt3 or vlan30 opt2 ?

For getting it up I'd allow any on both sites.
Basically you need proper rules on the interfaces, presumed you didn't change the behavior in System Tunables. There are two settings, net.link.bridge.pfil_member and net.link.bridge.pfil_bridge to control this.

Note that DHCP requests from the client are sent to 255.255.255.255:67 (UDP). So allowing access to the subnet only is not sufficient.

My reqirements:
A VM running behind pfsense should get an IP from ISP Router which is on 192.168.1.1 in my Home Network, listed at the most top of my drawing.

You drawing shows 192.168.0.0/24 for the router.
And it's also not clear to me if this is you home LAN.

but I think I have some firewall rule issues, as I just cannot get that VM to have internet connection, only if I disable pfsense firewall, then it works, so it must be rules issue.

pfSense normally do masquerading (outbound NAT) on WAN if there is a gateway configured, as long you didn't disable NAT. So you should add a NAT rule for the device with "no NAT" to disable that.

However, this shouldn't have an impact on internet access. I have no idea, what should actually block it. Try to add an allow any to any rule on the bridge to get sure.
To investigate you can sniff the traffic on both interfaces to find out, what happens on pfSense.

CrazyWolf13 · Mar 30, 2024, 9:30 PM

@viragomann said in VLAN to Bridge to WAN side:

masquerading (outbound NAT) on WAN if there

Okay I just set an any:any rule for any protocol on all interfaces including WAN, still no ping can reach ANY host of my whole home network nor my other servers nor www.
The only thing I can ping the device from outside.

I have not set any NAT rules yet.

A rule like this?
🔒 Log in to view
(This rule did not fix the issue)
(Outbound NAT is set to hybrid)

192.168.1.0/24 is my home network and 192.168.1.1 is my home isp router.

Funny thing: Disabling pfsense firewall via cmd makes everything work, so it has to be a pfsense problem.

viragomann · Mar 30, 2024, 9:31 PM

@CrazyWolf-0 said in VLAN to Bridge to WAN side:

I have not set any NAT rules at all.

So you have Firewall > NAT > Outbound disabled??

If not, check the automatic rule section.

A rule like this?

For internet access, the destination has to be any.
For accessing 192.168.1.0/24 there should no rule be needed.

Funny thing: Disabling pfsense firewall via cmd makes everything work, so it has to be a pfsense problem.

This also disables NAT.

CrazyWolf13 · Mar 30, 2024, 9:41 PM

@viragomann

OMG correcting that NAT rule really solved it, pings now work fine!!!

You're awesome!!

Huuuuuuuge Thanks!! 🫶🫶