Transparent Firewall - Setup
-
Simply trying to have a couple of servers in the subnet sit behind a transparent firewall so that traffic to/from the servers can be controlled via rules. Don't want to change any IP addressing and simply have everything remain in the same subnet.
FYI the setup doc I followed for this (trendchiller) showed IP addresses for both LAN and WAN on same subnet
-
You shouldn't have both interfaces in the same subnet tho.
-
FYI the setup doc I followed for this (trendchiller) showed IP addresses for both LAN and WAN on same subnet. It says the LAN IP is ignored when you enter bridged mode so it doesn't matter what you put in.
-
Well, I suppose if they are bridged it is okay. Why do you need two IPs though?
-
I don't need 2 ip's.
I simply want a management IP to get to pfsense.
-
So put one on the LAN and none on the WAN. That said, what I was asking for before was a clarification as to what your problem is. It is not very understandable as phrased. e.g. what you are trying to do, what is working and what is not.
-
Following the doc I can get things setup so that the server behind pfsense can get to the rest of the subnet fine. Server is on the LAN interface and the rest of the network is on the WAN interface. Problem is I cannot get traffic back the other way i.e none of the rest of the network can get back through pfsense to the server even though there is an Any - Any rule setup on BOTH the LAN and WAN interfaces.
-
Ah, ok, now I understand, sorry for being dense. I am wondering - the WAN has the default "block rfc1918 addresses" deal - are you still checked? I note you have a private range, and I think those checkboxes set rules that you don't normally see and I think they might come first before your allow all. If so, try unchecking that?
-
No, unchecked these as per the setup doc.
http://pfsense.trendchiller.com/transparent_firewall.pdf
Based on the date of the doc it seems that it was created for a much earlier version of pfsense. I wonder if there are other changes that need to happen with the v1.2.3 I'm using.
-
Can you post /tmp/rules.debug?