How to setup transparent firewall on version 2.X

hvar

I am moving some old SonicWall firewalls over to pfsense and want to mimic the current setup. I am new to pfsense and am a bit confused in the terminology and ways to do things.

I am stuck in how to setup bridging and assigning of a transparent firewall for a /24 net.

I have the "pfSense: The Definitive Guide" book, but the chapter 9 on bridging is very short and I am confused about how to configure this.

All the info and guides I have found applies to version 1.X of pfsense and this seems to have changed quite a bit in 2.

I have:
pfSense 2.01
3 ports, WAN, DMZ and LAN
I have been assigned a public range C-net, lets call it  777.777.777.0/24. (no NAT involved)

I want to set up the following:
My ISP gateway is: 777.777.777.1
Wan range:  777.777.777.2  - .8  (outside of firewall)
WAN-interface; 777.777.777.9
DMZ range: 777.777.777.10 - .35
LAN range: 777.777.777.36 - 254

Anyone who can teach me the dance I have to do to make this happen? I am a newbie to pfsense so go slow!

Thank you!

podilarius

Personally, I would add a fourth interface and call it MGMT and setup an allow all rule on it, plugged into the LAN. This way you can manage the bridge from outside the bridge. I have found that to be easier when I have setup bridges in the past. Remember that the default rule in all but floating is to deny and new interfaces have no rules assigned (block all on new interfaces, including the bridge.)

hvar

Thank you for your suggestion.

What IP would you sugggest I assign to the MGMT interface? Can that be in the same subnet as the Bridge?
Should WAN/LAN/DMZ interfaces all share the same IP? I read that psSense handles this, but freeBSD does not like it.

podilarius

It is all one subnet. When you setup the bridge, it acts like a switch, except in this case a switch that can drop packets. A bridge does not necessarily need an IP address at all, but yes all interfaces in the bridge will share the same one. The ip is assigned to the bridge and not to each interface. (Disclaimer - I have not setup a transparent firewall in quite some time.)

hvar

Got locked out. What I did:

WAN Interface, type 'static' with 777.777.777.9/24
WAN gateway: 777.777.777.1
Assigned both DMZ, e1 and LAN, e0 to type 'none' and no IP

Interface : Assign : Bridges:
Made a bridge of WAN +LAN + DMZ, called WLDbridge

Assigned another Interface card OPT3 as MGMT with 192.168.1.1. This should be my escape route if everything fails!

Alias; made a LAN-alias with the LAN range
Made a DMZ-alias with the DMZ range

Made a rule to allow all access to anything from MGMT port
Made a rule to allow access to 80 and 443 on WAN port
Made a rule to allow access to anything from LAN port

Interface -> Assign WAN 'WLDbridge' … hmmmm was I supposed to do that?

restart: .. uh-oh!! LOCKED OUT!
Cannot connect to GUI on neither WAN nor LAN nor DMZ (777.777.777.9)
Cannot connect to GUI on MGMT port (192.168.1.1)

The Firewall is only connected to one single machine for testing purposes.

I am missing something very basic here.

The transparent firewall guide is for version 1.x:
http://pfsense.trendchiller.com/transparent_firewall.pdf

Is there anything similar for version 2.0?

chpalmer

You should leave the original LAN as the maintenance port and create an OPT2 port for your bridge…

WAN type should be None.  Bridge interface should have your "credentials".  (Although I think it will work using the credentials on WAN and keeping bridge type none Ive not done it that way.)

http://forum.pfsense.org/index.php/topic,42318.0.html