Bridge Mode / Firewall issues
-
Hello,
I am trying to setup pfSense, but it doesn't want to cooperate.
Here is my setup:
internet (WAN) -> pfSense (LAN) -> switch -> servers
pfSense (OPT1) -> switch -> servers on private networkBasically, I have 3 NICs. The WAN, which is connected to the internet, the LAN, which is connected to a switch and a bunch of servers, and then OPT1, which is connected a private network.
I am trying to setup pfSense to be bridged for all traffic in the LAN - I want specific ports of traffic to be able to move through the WAN to LAN and the LAN to WAN. I want the servers to be protected by the firewall. The problem that I am having is that, unless I check the "Disable the firewalls filter altogether" on the "System -> Advanced" page, no web traffic can get through. When it is unchecked, I can sometimes ping outside the traffic from my computer in the LAN, but DNS resolution does not happen.
I guess what I am trying to say is that the only way that the bridge works, is if I disable the firewall.
Whether "Disable the firewalls filter altogether" is checked or unchecked, I can always ping stuff using the built in ping tool in the Diagnostics tab with either of the WAN and LAN interfaces selected. When I go to "System -> Packages" it is able to pull the packages from pfSense's servers.
Because of this, I figure that it is a rule issue. In the "Firewall->Rules" for both the LAN and WAN, I have the following:
Proto Source Port Destination Port Gateway Schedule Description * * * * * *
Does anyone here have any ideas?
I am running 1.2-RC2 and I can not do NAT on the LAN because I have way too many IP addresses that would need to be setup. I need it to be transparent and let the public address straight through to the LAN.
Eventually, I'd like to be able to VPN into the wan and be connected into the OPT1 (private network) interface - but that task is far less important right now that this.
-
1: setup IP on WAN
2: setup LAN to bridge to WAN (LAN-Interface has NO IP)
3: system –> advanced --> filtering bridge: "Enable filtering bridge"
4: setup on LAN and WAN rules on what you want to allow to pass through.Your clients on LAN now should get their IP from a DHCP attached to your WAN (ISP?)
Also assure that the gateway of the clients is not the pfsense but the next hop (router of your ISP)5: Setup IP on OPT1
6: If you want internet access from your OPT1 you need to create an Advanced Outbound NAT rule.
Firewall --> NAT --> Outbound
Create a rule that NAT's your traffic from OPT1 to WAN.
7: Also add a Firewall-rule for OPT1 that allows traffic from OPT1 to WAN.For VPN i suggest using OpenVPN. Your clients would connect to WAN and you simply need to push them the right route (private subnet of your OPT1)
-
Thank you GruensFroeschli.
I already did 1-4 before my original post, but I will go through them again and make sure all is still well. For 5-7, I think that I will wait for the VPN until after the bridge is working. I don't want to complicate anything more than it needs to be. It is good to see that the process seems somewhat straight forward though.
Our uplink is to a 100Mbps drop in our DC, technically an ISP, but not like what you get at home. All of the servers (clients) in the LAN need public IP's and do not use DHCP, they are setup as static IP's.
Up until now, I have been setting this up in a test environment, but I am going to go ahead and put it into the DC and try to configure it in the final environment that it will be in. Maybe something locally is messing with it.
I will let you know how it goes.