Bridge + NAT
-
Hi Guys.
I´m totaly newbee to pfsense, an i need some help.
I hade a Cisco ASA witch died today and in trying to get online with Pfsense.I need a setup like:
ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
| |----server1(public ip)
| |----server2(public ip)
| |----server3(public ip)
|
|------VSwitch
|------ Server/ Management (NAT)i have read some treads and guides, and i´m a bit confused so i´m hoping there is some one that can explain is for me from scrats.
i have a /28 subnet public IP addresses to use for my servers. -
This may help in the case you would like to try bridging…
http://forum.pfsense.org/index.php/topic,20917.0.html
Or you could try the Virtual IP route.
-
Am i correct, Virtual IP is NAT/PAT???
I need to run the firewall so that my servers can run on there public IP`s -
virtual IP is used as a start with NAT/PAT … You will not use this in bridge or a routed subnet.
-
You don't need to NAT those public IPs.
You can do this in pfSense, you need to switch to AON (Advanced Outbound NAT) to make rules for what should and shouldn't be NAT'd.
-
Okay, and how sould that roule look like?
-
You are not going to NAT on the servers crossing the bridge. Looks like you want to NAT server MGMT. Is this a computer or a iLO (or similar)? It will need to be something other than the server itself as you cannot send traffic down 2 paths.
The advanced outbound NAT rules will have 127.0.0.1/32 -> WAN IP. And the server MGMT will NAT server mgmt net (ie. 10.1.2.0/24) -> WAN IP (or VIP).So the WAN will have and LAN and bridge0 (opt1) will not have an IP. The OPT2 (server mgmt interface) will need a private IP.
You are going to need to setup rules on each interface. LAN and bridge0 will just need an allow all from any protocol/port. WAN will need the inbound rules to block/control traffic. opt2 (server mgmt) will need a wide open rule to start with and then once it is all working, restrict it.
bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?
-
Short exp:
HP Proliant Dl360 server with Vsphere 5 as OS.
Running 8 VM´s with Public IP addresses.
ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
| |----server1(public ip)
| |----server2(public ip)
| |----server3(public ip)
|
|------VSwitch
|
|------ Switch where all my servers are connected (back end net, where i mang. my vmware and so on)
|------ Server/ Management(private IP)Okay, i think i´m going to ceep it simple... only transparent/bridge firewall, i can still get in contact with my Vmware and just open a console window to a win server to mange pfsense.
Can you sho me an example on a roule DMZ to Wan?
-
bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?
Yearh i have noticed that…. :-) i started out beliving that this would be the easyest way, but no... :-/
Its is web, mail and DNS servers so they need to run on public IP addresses
-
I run my mail and web servers behind a NAT. It just a matter of a correct configuration.
-
I would if possible, but its is not.
All server config is based on the NIC IP address and it pulls it from the NIC, have tryed to change it but the IP is integrated in hosting controller software more then possible to change. none the less its way easier to manage it like this.. with the real IP´s allready integreted in the system. -
Then your choice is either routed solution (preferred) or a bridge. There are several good write-ups on setting up a bridge.
As far as the rules, you just have to allow any to x.y.z.a on port xxxx, keep state as a WAN rule and it should pass with all other being open. -
i have used this guide:
Go to interfaces- Assign- Bridges… Create the Bridge. Add two interfaces to the bridge. WAN and OPT2. Rename the interfaces before now if your gonna. Helps keep track.Interfaces- Assign- Interface Assignments- create a new interface... Choose the bridge. Save.
System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'
Go to Interfaces- Bridge set up your address here... DHCP, Static ect...
Got to Firewall- NAT- Outbound... Choose manual outbound rules. Make sure the only rules there are for LAN and 127.0.0.1/8 (should be there with 2.1 automatically... may be also 2.0.1 but I dont remember.)
Go to Interfaces- WAN- set for none.
Go to Interfaces- Opt2 (or whatever you named it.) set for none.
Set up your firewall rules as needed.
-
I can not get it to work, when adding a Ip in the 28 subnet
I made a clean install, gave the LAN port a 192.168.1.100 for mang.
Followed:
Create the Bridge. Add two interfaces to the bridge. WAN and OPT1. Rename the interfaces to bridge1.Interfaces- Assign- Interface Assignments- create a new interface… Choose the bridge. Save, renamed DMZ
System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'
Go to Interfaces- Bridge set up your address here... 12.12.12.18...
Got to Firewall- NAT- Outbound... Choose manual outbound rules. Make sure the only rules there are for LAN and 127.0.0.1/8 (should be there with 2.1 automatically... may be also 2.0.1 but I dont remember.)
Go to Interfaces- WAN- set for none.
Go to Interfaces- DMZ set for none.
Created a allow all from DMZ to any.
I can with a allow all roule from DMZ to any contact the Pfsense but no internet.
-
For now … set and any protocol any source, to any destination and any port on all interfaces till you know bridging it working correctly ...
-
Done, no luck… :-(
Dos there need to be any gateway on pfsense?
-
Only for local services and anything on the LAN.
-
So no GW for WAN or DMZ?
Only GW set on the server, if the PFsense is x.x.x.18 and the ISP GW is x.x.x.17 witch do i set on the server?
-
If i
-
It would be x.x.x.17 as the gateway on the server in a bridge.