Transparent Bridge Firewall - All Public IP Addresses
-
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
OK this looks to me like it is going to be a problem? So I cannot pass traffic out from the Draytek, but I can receive?
Sorry that's my fault just confusing things. :-[
Wallabybob suggested that it may not be possible to bridge the PPPoE connection and that you should use the WAN NIC instead. I was querying whether or not that would work. I still think it wouldn't.Perhaps you should re-describe what you are trying to achieve as an end result overall. Reading back through the thread why do you need the Draytek router at all?
Steve
-
So all said, how do I allocate the draytek a public IP and pass traffic to it directly without getting another adsl connection?
Lets get a high level understanding of what you are trying to do so we can determine the general solution. Then we can look at the specifics.
You said earlier you have a pool of public IP addresses. Would it be sufficient to pass some (or all) traffic to a specific IP address from the pool to the Draytek? Are all your public IPs on the same subnet or do you have a single public address allocated by PPP and a pool in another subnet?
Do you want ALL traffic from the internet to go to the Draytek? If so, why have the pfSense box?
-
We have a pool of ip addresses and all thankfully on the same subnet.
We have a pretty normal network setup, with a WAN adsl connection to plus.net, Wired LAN, Wireless network with Captive portal setup, DMZ with a web and mail server. Until now everything has been great, we NAT traffic if required for the standard mail and web stuff.
The new requirement is for a supplier that is housing equipment and setup in our building, their requirement is not negotiable. They have equipment tucked in behind a Daytek router and firewall. The WAN port needs exposure to the internet with a public IP address.
Hope that clarifys the requirement, and again thanks for your help guys.
-
For my research, and I don't know if I am 100% correct here. Bridging the WAN Interface with my DIGIEXPOSED interface is called a half-bridge, and committing it via the GUI does not work. (If I bridge two LAN interfaces it works fine).
It looks like the half-bridge will give incoming access not outgoing. If the supplier is using the connection to VPN in to their Draytek router will that give them going access through the VPN tunnel? Or am I being thick?
If I cannot commit a half-bridge through the GUI how do I commit the command line changes to the config so they become permanent?
ALSO I need access to the LAN side of the Draytek (10.x network) from a 192.x network, interfaces at in place. What would be the best approach for that?
Again, thank you all SO SO SO Much for your help.
Stu
-
Hmm, this is an interesting problem.
I can see why you might use the term 'half bridge', many router manufacturers seem to use it, but it has no meaning in FreeBSD (afaik). Though that is what you are trying to accomplish.
The bridge function is only restricted by the type of interface you are trying to bridge. If your WAN interface was DHCP this would be no problem. If you have got something working via the command line you should be able to replicate that in the GUI.If all that is required is to have access to the Draytek router from the internet then I would do as Wallabybob suggested; setup a virtual IP on WAN with one of your public IPs and 1:1 NAT that with the Draytek.
Do you have access to the Draytek configuration? What do you need to access on the 10.* network?
Steve
-
The pfSense has a discussion of using additional public IPs in section 6.7. One example (figure 6.21) shows use of a single block of IP addresses with the OPT1 interface bridged to WAN and a system connected to OPT1 having a public IP address.
That example assumes an internet connection from pfSense to the ISP router using IP over Ethernet. Your configuration uses IP over PPP over Ethernet and you can't bridge OPTx and WAN because WAN is a PPP interface.
Does your modem (upstream of pfSense) have the capability of handling the PPP so you can talk to it from pfSense using IP over Ethernet - that is, can you "offload" the PPP to the "modem"? If so, you can then bridge WAN and OPTx as discussed in the pfSense book.
Depending on the degree of NAT you are prepared to allow, you might be able to get by with the port forward configuration I hinted at earlier.
Maybe your modem will also accept IP over Ethernet and forward to the Internet inside the appropriate protocol wrapper. If so, you could possibly bridge your OPTx interface and the physical interface on which the WAN interface operates.
-
"offload" the PPP to the "modem", I think you are right, thats where the problem is. I will confirm on Sunday when I can get in and take everything offline.
Thanks for your help
-
1:1 NAT it is! I have it up on the https port and can see the Draytek.
One cable running from the PFSense DIGIEXP (exposed) interface into the WAN port of the DrayTek. Just have to add the other rules so they can VPN into it.
The next thing I need to do is allow access to the LAN side of the DrayTek (DIGIINT, 10.61.88.0/28) from the existing LAN (192.168.1.0/24).
-
Good job! :)
The next thing I need to do is allow access to the LAN side of the DrayTek (DIGIINT, 10.61.88.0/28) from the existing LAN (192.168.1.0/24).
I can't see how you are going to do this without adding some rules to the Draytek. Unless you bypass it completely with another connection - which could open up the possibility of horrible routing loops!
VPN tunnel perhaps?Unless the Draytek router already allows access to the servers behind it (seems likely ::)) in which case you just need to add a static route to pfSense so it knows where to send traffic for 10.61.88.0/28.
Steve
-
YEP I know, I know. The requirements of this company are stupid, really really stupid. Why they could not use our existing infrastructure is crazy. And to expect it from a small charity….. well...
Essentially the remote access via the 1:1 NAT on the first part of the project is to allow the company that installed to manage, they come into their DrayTek via the Public IP and VPN on the Draytek.
The second portion of the project access the to LAN portion on the Draytek is for usage of the product, they will not allow us to use the public side.. mental isn't it?
-
It would interesting to know what they expect the network to look like.
Presumably they have done this many times before and have found this be the best setup.I'd be interested in the opinion of someone with more experience on this.
Steve
