Transparent Bridge Firewall - All Public IP Addresses

wired-circuit

Yer, I created an all in all out rule for the purpose of testing. I do see this in the log, a clue?? php: : The command '/sbin/ifconfig bridge0 addm em0' returned exit code '1', the output was 'ifconfig: BRDGADD em0: File exists'

cmb

that isn't relevant, just that it tried to add the NIC to the bridge again and it was already there, doesn't matter.

what IP, mask, gateway, DNS config do you have on your host behind the bridge?

wired-circuit

I have stripped it back down to the interface (attached).

So starting again, because I think it would be a better approach, faster and more helpful to other readers in the future.

Goto Interfaces, Assign and Select Bridges.
Click the Plus Sign to add a New Bridge.
Use the Control Key to Select Two Interfaces, WAN and in MyCase DIGI and Click Save.
Goto Interfaces and Select Assign. From the Pull Down Select Bridge on your Interface (again in my case DIGI) and Save.

That should be it right? Effectively passing all traffic striaght through to the device attached?

![Picture 7.png](/public/imported_attachments/1/Picture 7.png)
![Picture 7.png_thumb](/public/imported_attachments/1/Picture 7.png_thumb)
![Picture 8.png](/public/imported_attachments/1/Picture 8.png)
![Picture 8.png_thumb](/public/imported_attachments/1/Picture 8.png_thumb)

cmb

your bridge is fine.

again:
@cmb:

what IP, mask, gateway, DNS config do you have on your host behind the bridge?

wired-circuit

Exactly as displayed on plus.net (the providers) page. I'll PM you with them.

wired-circuit

Really appreciate all your help on this, I am doing this work voluntarily for a local charity.

wired-circuit

I think I have figured out the problem, can't test till tomorrow but maybe you can confirm. I am testing with a Windows machine, instead of the WAN interface on the Draytek. Crossover cable? I should be using a crossover cable?!

cmb

If you're plugging a PC/server straight into the firewall, and neither of the involved NICs are auto MDI/MDI-X, then yes you need a crossover.

wired-circuit

Crossover cable in place….. and... nothing.. nowt.. nada. Any more ideas anyone? Does this information help?

ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0

ifconfig rl2
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

ifconfig em0
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast>

wallabybob

The flags for em0 DO NOT include UP and RUNNING. Hence the hardware thinks em0 is disconnected. But it reports status active!

Why doesn't the bridge interface report its members? (It doesn't have any? You chopped it off?)

Why doesn't the em0 interface report inet6 and nd6? (You edited it out? The data comes from an older FreeBSD system, not from the same system reporting rl2? You messed up a copy and paste?)

wired-circuit

No thats not edited, it didn't look right to me either. Here is the ifconfig complete, WAN is rl2, DIGI (the interface I am trying to bridge) is em0.

ifconfig
rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d4:0c:6d
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::ca3a:35ff:fed4:c6d%rl0 prefixlen 64 scopeid 0x1
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=108943 <up,broadcast,running,promisc,simplex,multicast,ipfw_filter>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:35
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::92e2:baff:fe0d:5935%em1 prefixlen 64 scopeid 0x3
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d8:7a:22
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::ca3a:35ff:fed8:7a22%rl1 prefixlen 64 scopeid 0x4
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
nd6 options=3 <performnud,accept_rtadv>pppoe0: flags=89d1 <up,pointopoint,running,noarp,promisc,simplex,multicast>metric 0 mtu 1492
inet6 fe80::ca3a:35ff:fed4:c6d%pppoe0 prefixlen 64 scopeid 0xb
inet IPADDRESSEDITED –> 195.166.128.47 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536</up,simplex,multicast></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,promisc,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast,ipfw_filter></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast>

wallabybob

The bridge should have members, for example (extract from ifconfig output on my system):

ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	ether 00:19:e0:68:31:4b
	inet6 fe80::219:e0ff:fe68:314b%ath0_wlan0 prefixlen 64 scopeid 0xb 
	nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running
	ssid Rivendell channel 1 (2412 MHz 11g) bssid 00:19:e0:68:31:4b
	regdomain ROW country AU indoor ecm authmode WPA2/802.11i
	privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
	txpower 30 scanvalid 60 protmode OFF burst -apbridge dtimperiod 1 -dfs
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	ether 9a:ae:96:8a:52:25
	inet 192.168.211.173 netmask 0xffffff80 broadcast 192.168.211.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000
	member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370
$</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast> 
```Also, I expect the em0 interface should have inet6 and nd6 options. Is pfSense interface DIGI enabled?

wired-circuit

Yes all are enabled, although IP6 is not. Screen Shots attached.

So in short this part is missing from my config (from your paste) (obviously with my interfaces)

member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000
member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370

![Picture 1.png](/public/imported_attachments/1/Picture 1.png)
![Picture 1.png_thumb](/public/imported_attachments/1/Picture 1.png_thumb)
![Picture 2.png](/public/imported_attachments/1/Picture 2.png)
![Picture 2.png_thumb](/public/imported_attachments/1/Picture 2.png_thumb)
![Picture 3.png](/public/imported_attachments/1/Picture 3.png)
![Picture 3.png_thumb](/public/imported_attachments/1/Picture 3.png_thumb)
![Picture 4.png](/public/imported_attachments/1/Picture 4.png)
![Picture 4.png_thumb](/public/imported_attachments/1/Picture 4.png_thumb)
![Picture 5.png](/public/imported_attachments/1/Picture 5.png)
![Picture 5.png_thumb](/public/imported_attachments/1/Picture 5.png_thumb)</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp>

wired-circuit

OK so it looks like there is a bug in the GUI, because it doesnt work…...

I did this from the command line (Source: http://www.freebsd.org/doc/handbook/network-bridging.html) and the Bridge is UP UP UP!!!!!

ifconfig bridge0 addm rl2 addm em0 up

ifconfig em0 up

ifconfig rl2 up

ifconfig bridge0

bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether aa:fc:23:10:64:e9
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 20000
member: rl2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 200000

Thank you everyone for your help, nice to complete is post with a good answer…... although I must appologise for hijacking the orginal post.</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>

cmb

@wired-circuit:

OK so it looks like there is a bug in the GUI, because it doesnt work…...

No, the GUI works fine, but it can only do what you tell it to. Your manual setup is completely different from what you configured in the GUI from the screenshots, you don't even have em0 assigned and it's not part of the bridge you setup. Which is also why your interface wasn't up until you manually upped it. It'll work fine if you configure it in the GUI so it does the back end the way you manually did it.

wallabybob

The GUI shows you attempting to bridge the PPP interface which is probably not a bridgeable interface. You also specified BRIDGE0 has a member DIGI which is the name assigned to BRIDGE0. A bridge probably can't have itself as a member :-)

I suspect you need to click on the "+" button on the Interfaces -> (assign) page twice to get two new pfSense interface names allocated, assign rl2 and em0 to those interface names and then make those new interfaces members of bridge0.

wired-circuit

Would you care to expand on the procedure, your response is contridicatary to that of your colleague in the first part of the thread. I have this morning had to add another interface for the next part of the project and the bridge has gone. So I need to put it back, and it would be nice to put it back using the GUI.

Many many thanks for your help.

stephenw10

If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.

But agreed, you need to add an extra interface and assign em0 to it. Then replace DIGI in the bridge configuration with the new interface.

Steve

wired-circuit

Now I'm getting extremely confused. Lets go back to basics here (Interfaces got changed due to a card addition):

I have a WAN interface (rl1) connected to our service provider.
I have another interface 'DIGI' (em0) connected to a DrayTek router which I want to expose directly to the internet allowing the Draytek to be allocated the public IP address.

As I understand it I need to bridge the WAN (rl1) interface with the DIGI (em0) interface to make the Draktek accessible from the Internet via the assigned public IP.

We have established that I am using the correct Public IP address, subnet, gateway and DNS Servers.

Is this all correct?
What is the proceedure?

stephenw10

OK. Assuming all previous screenshots etc are now redundant.

Create a bridge, bridge0, and add to it WAN(PPPoe0) and DIGI(em0).

Add a new interface and assign bridge0 to it.

As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.

However in this configuration the PPPoE interface will always be given a public IP by Plusnet.
Do you have multiple public IPs?

Steve