Bridge + NAT
-
Funny thing….
If i move a server from DMZ to the WAN swict it all works inet in and out and if i move same server back to WAN it works for 2-5 min then it stops.. -
I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)
Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.
-
I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)
Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.
I have NO trobble to get the servers to work when i put them on the WAN NIC, but as soon they are put back on DMZ the stop having access to the internet. (sucks)
a 1000 thanks for your effort trying to help, its very appreciated :-)
-
I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)
Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.
Forgot, Yes i have tryed every combination of permiscious mode on WAN and DMZ switch. even all set on at the same time.
-
Finaly i got some thing to work.
Reinstalled it with a 32 bit vertion (don´t ask why that worked) and followed the guides mention erlier.
And bam, internet from inside and out worked on some of the servers with public IP address….... but,
For some reason it only works if the server with public IP uses the pfsense as gateway (xx.xx.xx.18) and not the ISP Gateway (xx.xx.xx.17 ???Colud that be some roules?
Only made allow all from opt1 (DMZ with Public IP) to all -
That is unusual, if it is a true bridge, you use the ISP gateway. What you are describing is a hybrid bridge/router. What does your traceroute look like from the server? I have been meaning to test bridging in esx and 2.1, so i might give this a try in the lab. :)
-
Well as written in the first post, there is a LAN interface for manag. and connecting to my backend net.
ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
| |----server1(public ip)
| |----server2(public ip)
| |----server3(public ip)
|
|------VSwitch
|------ Server/ Management (NAT) -
Yes, I read what I posted. Not what I meant on the LAN/WAN side. That is a NATed solution, not even a routed solution. I was refering to the WAN/OPT1 bridge. A bridge acts like a smart switch and you should not need an IP much less using WAN / Bridge as a gateway.
-
Aaah, sorry, I misunderstud you´re first post to day..
-
I set this up and I cannot get it to work either. I really don't understand why at the moment.
-
Then you have it the same way as me…. confused, but at a higher level... :-)
-
What version are you running?
-
-
I have tryed vesion 1.2.3 same outcome…
-
Somethings are crossing the bridge, network traffic is not. Like I can see arp requests (whohas) coming across the bridge, but no traffic. I have my system WIDE OPEN (LAB network). I don't have a clue what is going on, so I will continue to dig. If anyone else has a solution, my lab network is ready to try it.
-
okay .. I have mine working as expected.
public network (WAN on pfsense)… set to promiscuous mode on (tied to a physical interface)
private network (LAN on pfsense) ... set promiscuous mode off (VLAN 42 on same physical interface as WAN, could put it on another vswitch with NIC but since on different vlan i didn't worry about it.)
DMZ network (opt1 on pfsense) ... set promiscuous mode on (VLAN13 on its own vswitch with no physical nics assigned, but I supposed if it is not the same WAN or LAN, it would work.bridge is on opt2 (DMZ) and both DMZ and opt1 have their rules WIDE open.
I did all my filtering rules on the WAN interface.
LAN -> Internet --- Pass
LAN -> DMZ --- Pass
DMZ -> Internet --- Pass
DMZ -> LAN --- BlockedTested and working. I did this with 2.1 (i386) need to try with x64, but I have a feeling that it will do the same thing.
-
What guidelines did you follow fron clean install?
Like this?Create the Bridge. Add two interfaces to the bridge. WAN and OPT1. Rename the interfaces to bridge1.
Interfaces- Assign- Interface Assignments- create a new interface… Choose the bridge. Save, renamed DMZ
System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'
Go to Interfaces- Bridge set up your address here... 12.12.12.18...
Got to Firewall- NAT- Outbound... Choose manual outbound rules. Make sure the only rules there are for LAN and 127.0.0.1/8 (should be there with 2.1 automatically... may be also 2.0.1 but I dont remember.)
Go to Interfaces- WAN- set for none.
Go to Interfaces- DMZ set for none.
Created a allow all from DMZ to any. -
I didn't use a Guideline per se. Before I forget, 64bit worked as well.
Okay from a Clean install.I only have one interface in this ESX machine, so I only setup WAN to start with so that I could manage it. I started by creating 2 anti-lockout rules for port 80 and 443 to the WAN address. (You probably won't have to do this if you have access from LAN.) WAN was still setup for DHCP since it was a LAB setup. You can also use static.
Once that was setup, I went and setup LAN (assigned and enabled with static address) and DHCP on the LAN Address. I made sure that this was working properly and the machine I put with it could get to the internet.
Then I assigned and enabled opt1 with no IP address. I created a allow all rule for ipv4 and 6.
I created a new bridge and assigned WAN and OPT1 to it.
I assigned bridge0 to OPT2.
I enabled it with no IP address. I also went and created the same allow all rules as opt1.
I then went and setup those advanced options per several other posts.
I went to outbound NAT and switched to manual and it created just the rules for LAN (and this is all I needed) to use the WAN address. If you are going to use the bridge IP, then you are going to have to change these rules to make sure they say DMZ and not WAN.
I have a webserver running on the test machine in the DMZ so I created a rule to allow port 80 to that IP address. ( I verified no access prior to the rule addition on WAN).
For the machine behind the LAN (NATed solution), pfsense was its gateway.
For the machine behind the DMZ, my gateway was my default gateway for the rest of my production LAN (which is another pfsense machine btw).At first I didn't get access and all the traffic didn't pass. I even setup allow all rule on WAN to see what was happening. This is when I started messing with promiscuous modes. I also found other posts on the web about setting up a bridge with other BSD and Linux FWs that said you needed promiscuous mode on for the interfaces that are a part of the bridge. Personally I don't like setting up vswitches to be in promiscuous mode as it turns them from a switch to a hub. I see how you would need to do that for a bridge also.
Once you have it passing traffic, then you can go about setting rules and NAT rules on the interfaces you like.
Hope this helps.
-
Hi.
Im surly on the right way, but i think i have a system over load (in my head)
Could you pleace show me how to setup this: I created a allow all rule for ipv4 and 6.and: I have a webserver running on the test machine in the DMZ so I created a rule to allow port 80 to that IP address?
Regarding promiscuous mode, is taht set on both Vswitches and/or NIC?
-
What does your rule look like and on what interface?
I have promiscuous mode set on the vswitches that are a part of the pfsense bridge. I didn't change any NIC port settings.