Bridge or not?

netsysadmin

Hi all,

I configured pfSense with 3 WAN interfaces. The first interface (WAN) is connected to a wireless modem. So, it obtains its public IP address by DHCP from the ISP.
The IP address of the second interface (ADSL1) is 10.2.0.1/16. It is connected to the LAN interface of an ADSL router/modem (Alcatel SpeedTouch), which has IP 10.2.0.2. The router's WAN interface obtains its public IP via DHCP from the ISP. ADSL1 is configured with gateway 10.2.0.2.
The IP address of the third interface (ADSL2) is 10.3.0.1/16. It is connected to the LAN interface of another ADSL router/modem (Binatone), which has IP 10.3.0.2. The router's WAN interface obtains its public IP via DHCP from another the ISP. ADSL2 is configured with gateway 10.3.0.2.

The LAN interface of pfSense has IP 10.0.0.3/16. I've configured pfSense to route packets as follows:
Packets with source IP 10.0.1.0/24 arriving on the LAN interface are routed to interface WAN.
Packets with source IP 10.0.2.0/24 arriving on the LAN interface are routed to interface ADSL1.
Packets with source IP 10.0.3.0/24 arriving on the LAN interface are routed to interface ADSL2.

Now, what I want to know is whether it is better (in terms of latency, performance and features available) to configure pfSense to operate in bridge mode or not.
Secondly, I'm using a Pentium 3 866 MHz 256 MB PC. Is this OK for doing the job?

Any help is appreciated.

sullrich

It comes down to if you want to use the public ip addresses behind the bridge.  If you can utilize 1:1 and basic port forwarding then I would suggest going for a NAT configuration.

netsysadmin

Well, both ADSL modems/routers connected to ADSL1 and ADSL2 support NAT and PAT already.

hoba

Geekgod was talking about running the pfSense in NAT mode, not the routers in front of it.
If your machine specifications are good enough depends on how much load you plan to push through but it should be fast enough to keep your WANs fully loaded.

netsysadmin

Since the WAN interface has a public IP address (unlike ADSL1 and ADSL2 interfaces), I have to use NAT to be able to access the Internet through it.
What do you think about such a configuration? I mean, using NAT for connections via interface WAN, and no NAT for the other 2 interfaces (since NAT is performed by the respective modems/routers). Will this work? I haven't tested all three interfaces working at the same time yet.

Can the firewall operate in bridge mode for connections via the ADSL1 and ADSL2 interfaces, but in non-bridge mode for the WAN interface? Does this (hybrid mode) make sense?
Is the captive portal feature available in bridge mode?

Another question, will pfSense still be able to selectively route packets to the WAN, ADSL1 and ADSL2  interfaces based on the source IP, in bridge mode?

hoba

Not everything you want to do is possible in bridgemode. Use NAT at all interfaces. I have a similiar scenario at work, one SDSL with provider router as gateway and one ADSL-Modemrouter with dynamic IP in front of the OPT-WAN. The Modemrouter has the pfSense OPT-WAN IP set as DMZ. Works like a charm and as I have a fake static IP at OPT-WAN with this setup I can use the loadbalancer without problems.

You can create firewallrules at the internal interfaces for specific traffic to send out via different WANs (depending on source, destination, ports, …). Check out the gateway dropdown at the bottom of the edit rule page.

netsysadmin

Is it really necessary to use NAT on all interfaces? I definitely agree that NAT SHOULD be used on the WAN interface (which has a public IP).

Computers on the LAN have IP 10.0.2.0/16 and 10.0.3.0/16.
Let's consider one ADSL modem/router only.
IP address of OPT-ADSL1 is 10.2.0.1 and is connected to 10.2.0.2 on the ADSL modem/router.
OPT-ADSL1 is configured with gateway 10.2.0.2.
The ADSL modem/router has a public IP address (A.B.C.D) on its WAN interface and is already doing NAT.
Do you get the picture?

The packet goes from network 10.0.2.0/16 to 10.2.0.0/16 and then to A.B.C.D (public).
Now, I don't think it's necessary to do NAT twice (first on pfSense and then by the ADSL modem/router).
What do you think?

hoba

It's much easier to do it this way and there are several people using it without issues that I know of. Using the DMZ IP for the pfSense WAN forwards everything to the pfSense and you have full controll there.

You can configure NAT at Firewall>NAT, outbound individually if you don't like the double NAT attempt but it makes things only more complicated imo. You need static routes then at the router in front of you pointing to your pfSense lan subnet(s).

netsysadmin

Will double NAT not have any latency issue?

One question, I would like to understand the following sentence, which appears on the "Firewall: NAT: Outbound" page.
"With advanced outbound NAT disabled, a mapping is automatically created for each interface's subnet (except WAN)."

Since I haven't enabled NAT at all yet, pfSense is supposed to be generating the necessary mappings. However, pfSense is not supposed to be creating mappings for the WAN interface (as stated in the quoted sentence). But then, how come I can access the Internet via the WAN interface?
That's the only interface where I currently require NAT to function.

By the way, I don't have a router "in front of me". The pfSense firewall is actually "in front of me" and is acting as a router/firewall.
Note that 10.0.2.0/16 and 10.0.3.0/16 are the same subnet 10.0.0.0/16.

Also, I'm not using a DMZ. Hence, I couldn't really grasp what you meant by "Using the DMZ IP for the pfSense WAN forwards everything to the pfSense and you have full controll there.". Can you please elaborate?