Filtered bridge Colo setup

Goliathxo

After using M0n0wall for several years now, I decided to move to pfSense.
But I'm having trouble setting up an filtered bridge Colo setup like http://doc.m0n0.ch/handbook/examples-filtered-bridge.html (made by Chris Buechler).

I'm not able to connect (no ping) through the bridge, searching the forum I found no clear guide on how to set it up on pfSense 2.0.1. I'm missing something basic here.

My current setup is:

• 3 interfaces LAN, WAN, OPT1

• Assigned WAN and OPT1 as bridge members

• Created allow rules on WAN and OPT1

Could someone please provide some basic instruction on how to set up an filtered bridge for Colo.

Goliathxo

chpalmer

Can you provide screenshots of your firewall rules?

Goliathxo

Here are the rules for WAN and OPT1 (SERVERS)

chpalmer

Im a little stumped as what you have works here with mine.  Difference I have one server and the destination of the WAN rule is my server address.  You might try that and see if it works…

Other thought is that the server is blocking it on its firewall....    Just a thought.

Enable logging on the incoming rule and see if that shows anything...

cmb

Firewall config looks fine. Server's IP config has to be within your WAN subnet and using the upstream router as the gateway. No different from how I wrote it in the m0n0wall link there. You'll only be able to pass ping outbound with that ruleset. You have to enable OPT1 and set it to type "none".

Goliathxo

For the purpose of debugging I replicated the Colo setup as you (Chris) described in http://doc.m0n0.ch/handbook/examples-filtered-bridge.html, see snippets below.
I'm able to ping from the pfSense WAN interface (111.111.111.10) to the upstream Colo router (111.111.111.9) and vice versa. But I'm not able to ping the Colo router (111.111.111.9) from the Servers interface (111.111.111.11), or ping from the Servers the Colo router through the Bridge. As in the example  the IP's from the Colo router, WAN and Servers are all on the same subnet /24.

The setup looks like this:

I feel it's something simple I'm overlooking…

See post below..

Goliathxo

Darn STP on VLANNED Switch  :(
Old cross cable to the rescue  :)

Now seeing nice throughput on a Nexcom NSA 1120 http://bit.ly/Ijrwkc (Atom D525, 2 GB, 64 GB Samsung 830 SSD)
Any tips for tuning the em(4) interface?

Goliathxo

After eliminating a Broadcom nic in the test setup, everything is now on Intel, the numbers are slightly better.

I think an filtered bridge setup (no NAT) is also good on CPU usage :)

FJSchrankJr

Hi,

I am using pfsense for a very similar situation.

I gather you have it up and running but take a look:
http://forum.pfsense.org/index.php/topic,37824.msg196000.html#msg196000

Goliathxo

Fred,

In my setup with 3 interfaces (LAN, WAN, OPT1) I didn't need steps 4 and 5.
I have 2 more questions for you:

• Which Firewall Optimization profile you use for state table optimization?

• Did you find an solution to the RRD Graph issue http://forum.pfsense.org/index.php/topic,42081.0.html?

thanks for your suggestions.

FJSchrankJr

@Goliathxo:

Fred,

In my setup with 3 interfaces (LAN, WAN, OPT1) I didn't need steps 4 and 5.
I have 2 more questions for you:

• Which Firewall Optimization profile you use for state table optimization?

• Did you find an solution to the RRD Graph issue http://forum.pfsense.org/index.php/topic,42081.0.html?

thanks for your suggestions.

Hi Goliathxo:

I use "normal" for the optimization because otherwise in a high traffic environment (like colo) you're going to have tons of states open, DDoS attacks especially can create too many if the timeouts are long. In some cases during a DDoS I will set that to aggressive to keep it from running out of resources but normal is the way to go.

On the RRD issue, never resolved it. It might have been fixed in 2.0.1, it was strange the RRD totals were off yet the traffic was flowing normal and traffic graph showed it correct, did you have this issue too? Try using 2.0.1, it might have been resolved, I know it was listed in the bug tracker. We're running colo/data center with pfsense too, it's a very good firewall for it.

chpalmer

Hi Goliathxo:

Sorry missed your earlier reply…

Difference is I have the pfSense address on the Bridge interface.  WAN and Server interfaces are "none" in my config with my LAN (maintenance port) routing.

I don't see why what your doing wont work though...

My test box config file is here  http://forum.pfsense.org/index.php/topic,46738.0.html

In that post Im having a problem with 2.1 that does not happen with 2.0.1...

Goliathxo

@FJSchrankJr

On the RRD issue, never resolved it. It might have been fixed in 2.0.1, it was strange the RRD totals were off yet the traffic was flowing normal and traffic graph showed it correct, did you have this issue too? Try using 2.0.1, it might have been resolved, I know it was listed in the bug tracker.

I'm running 2.0.1 the RRD issue is still there.

@chpalmer
STP on a VLANNED switch broke my setup, now everything seems to be working.

Although I'm experiencing an strange phenomena:
DNS traffic from IP's behind the bridge (SERVERS interface, windows unicast NLB) is suddenly blocked on the WAN interface. As sudden as it appears is also disappears without changing anything in the config  ???

The rules for SERVERS interface allow DNS tcp/udp traffic, so I'm in de dark here!

FJSchrankJr

Hi Goliathxo:

RRD: can you post it for the other interfaces too (same time period)? Will work on finding/solving it over the weekend. Thanks