Clean Install with pfsense 2.0 using transparent firewall
-
Have you acted on this observation:
@stephenw10:Looking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.
Start with the simplest configuration: can you connect to the web GUI from a machine on the same subnet as your LAN interface? If not, how are you trying to connect? (ssh?, http? ping? etc) What response do you get? (timeout? no route to host? etc) Can you connect (by ssh, ping, telnet etc) from the pfSense console to a machine on the same subnet as your LAN interface?
Does it make a difference if you specify the target of the connect attempt by IP address rather than name (or name rather than IP address)?
In short, a bit more information about what you trying to do and where you are trying to do it would help those attempting to help you solve the problem. The information about cables and NIC lights was useful.
-
The problem is when I define a static IP at the WAN interface, when I reboot I can't access the web GUI, neither with ssh. From the machine I can't ping anything.
BUT when I change the static WAN IP to dynamic everything is OK
Still I haven't moved the machine to it's place so is not connected with the router -
If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.
-
@Cry:
If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.
Yes this is going to work as a transparent firewall…
Do you mean that I don't have to set up an IP on LAN neither WAN? and I am going to access the web gui? -
Traditionally through a third interface.
-
Am I going to assign a DHCP type of connection at both LAN and WAN?
Can you be more specific about what is need to be done? -
The traditional method of managing a transparent firewall is to have 3 interfaces. Two are used for the transparent firewall, neither have IP addresses. The third is used for management and has an IP address.
I haven't done this with 2.0 so can't say for certain that this is how you have to manage 2.0 in transparent mode.
It would probably be sensible at this point for you to complete your testing using a virtual environment. Then you don't have to keep interrupting the network traffic to find out if your latest change has worked.
-
Something like this? http://doc.m0n0.ch/handbook/examples-filtered-bridge.html
I'd have to experiment with the bridging in 2.0 to try and setup something like that.
Steve
Edit: Actually reading through that m0n0wall guide it's almost identical to the pfSense transparent firewall guide.
-
I think something like this.
But I am not sure if transparent firewall has the same meaning as the filtered bridge. As at the begging it explains that usually is used as DMZ but more frequently use is for protecting servers where there are no LAN hostsI attached an image.
Now the WAN and OPT interfaces are bridged and the WEB GUI is accessible through lan interface at 10.169.92.30\22. Is that correct? If I set an IP at the OPT interface I cant access the pfsense, that's why WAN and OPT don't have IP and LAN has.
I need to set the firewall rules in order all the traffic that comes from wan to be guided to OPT interface
 -
A filtering bridge is another phrase for a transparent firewall.
The 2 bridged interfaces shouldn't have IP addresses and only the management interface (which isn't used to route traffic) should have an IP.
-
but both guides for m0n0wall and pfsense say that interfaces have an IP address but you advised me that both interfaces should not have and IP except the LAN that is used for management. Finally which is correct?
And if I connect the WAN interface at the router and the OPT1 interface to my network, and I control the pfsense through the LAN interface is this correct or the pfsense can understand that the traffic should be guided from WAN to LAN and vice versa?
Please answer me, thanks -
anybody ? ???? people … please !
-
Traditionally they do not, but it's acceptable to have an IP on the WAN side and bridge the LAN to WAN, leaving LAN without an IP address.
On 2.0 you'd actually want to have WAN and LAN without an IP, and have the bridge interface assigned and have your "WAN" IP be assigned directly to the bridge interface.
-
But if you have only 2 interfaces you can only bridge them, and if you put this firewall in a DC how you get access to the GUI???
btw, were can I find how to assign a "WAN" IP to the bridge?
Thanks
-
When you bridge two interfaces, the bridge itself is a third interface.
Ideally in 2.0 you want something like this (wan is em0, lan em1):
OUTSIDE: em0 - assigned, enabled, IP type of 'none'
INSIDE: em1 - assigned, enabled, IP type of 'none'
WAN: bridge0 - assigned, enabled, with your WAN IP addressThough that would be tricky to pull off with only two interfaces in the GUI. As a compromise, just configure up WAN, and enable LAN without an IP, then bridge LAN to WAN.
-
Thanks, well I have 4 interfaces in it but created a lagg with them, I didn't know that by bridging the 2 you created a third interface.. :-)
So, I checked this in my interfaces and indeed it is there the third one called OPT1. Now, when I assign this OPT1 to the WAN as you said, then I have assigned my external IP to the bridge, do I understand this correct now? sorry English is not my mother tongue… and I have sometimes trouble to understand what others try to explain :-))I have it like this at the moment;
thanks very much for your time to explain.
