I have more interfaces than actual hardware ports
-
Is the modem giving you good public IPs to both the sonicwall and pfSense and not doing NAT? If yes then you're good to go.
As has been said, just forget about bridging on pfSense. Get a switch. Let your router route. Let your switches switch. You will be happier and your network will perform better and everytime you post people won't be saying, "What are you doing bridging? Just get a switch!" Classic case where "just because you can doesn't mean you should" applies.
-
Is the modem giving you good public IPs to both the sonicwall and pfSense and not doing NAT? If yes then you're good to go.
As has been said, just forget about bridging on pfSense. Get a switch. Let your router route. Let your switches switch. You will be happier and your network will perform better and everytime you post people won't be saying, "What are you doing bridging? Just get a switch!" Classic case where "just because you can doesn't mean you should" applies.
Well we have 5 ips to choose from, really 3 as two other ips are being used by computers. On the SonicWall we assign one ip and then on pfsense we assign another. Yeah I am finally agreeing with you and getting a switch for one interface and connecting everything to the switch. Currently I do not have a switch but will try buying one today or tomorrow. Could I use the router that is set in bridge mode (currently it'a connected to the modem as in the diagram) in the mean time to replace what a switch would be doing until I buy a switch? Also, does a bridge add another "layer" to the network in any way (by layer I mean like having one router connected to another or something)?
-
What hardware are you running pfSense on?
Whilst it is possible bridge your interfaces and have them behave like a switch it's usually a bad idea for the reasons already given.
If however you end up with unused ports that you want to add to a bridge I did write some instructions a while ago:
https://forum.pfsense.org/index.php/topic,48947.msg269592.html#msg269592To answer your original question, you can easily end up with more interfaces than you have ports because some interface types are 'virtual'. This includes VLAN interfaces, PPPoE interfaces and bridge interfaces.
Steve
-
A bridge is a layer 2 device. It might have an IP address for management purposes but it doesn't appear as an IP "hop" in traceroutes and the like.
I don't know if the router you have between the firewalls and the modem is necessary to what you're doing. It really sounds like you need switches on the outside (for your modem, public IPs, and firewall WAN ports) and the inside networks (for your workstations, access points, etc.)
-
A bridge is a layer 2 device. It might have an IP address for management purposes but it doesn't appear as an IP "hop" in traceroutes and the like.
I don't know if the router you have between the firewalls and the modem is necessary to what you're doing. It really sounds like you need switches on the outside (for your modem, public IPs, and firewall WAN ports) and the inside networks (for your workstations, access points, etc.)
yes I need switches but the way I have everything set up is temporary and has been that way for a while as I've been looking for a replacement to my tz 210 as it has been giving me problems however my father wants his stuff behind the tz 210. I have the router configured in bridge mode so I could say it'd acting LIKE a switch..I'm going to try to buy one today or tomorrow. Ultimately when I buy my switch it will just be modem > pfsense box > switch in one interface and then either the SonicWall will be on its own interface with different subnet separated, or connected to the switchurch OR eliminated entirely as its just acting really crappy.
-
What hardware are you running pfSense on?
Whilst it is possible bridge your interfaces and have them behave like a switch it's usually a bad idea for the reasons already given.
If however you end up with unused ports that you want to add to a bridge I did write some instructions a while ago:
https://forum.pfsense.org/index.php/topic,48947.msg269592.html#msg269592To answer your original question, you can easily end up with more interfaces than you have ports because some interface types are 'virtual'. This includes VLAN interfaces, PPPoE interfaces and bridge interfaces.
Steve
it's running on a standard desktop PC I built. core i3 4150, 8gb ddr3 1600mhz, asus z78 pro mobo, and two HP NC364T which use the Intel 8751 chipset or something. I've seen your instructions actually a little while ago ha ha, I've read it again and I notice you say one proceduee can be done if I don't need to worry about adding ruses on the interfaces, however I need to add some ports. Then at the end you say no rules will need to be added on the interfaces as it will inherit the rules from Lan, so would I just add the rules on lan?
I still want to go for a switch but this is interesting now and I'd like to know if you could answer that one question I have so I would know for future cases in case I ever wanted or somehow had to bridge interfaces.
-
Just run 'ifconfig' at the console and it will show you all the interfaces in the box whether or not they are assigned or enabled. Paste if here if you have any more questions about it.
Steve
-
Alright so I have hooked up a router configured in bridge mode (that's all I have to act as a switch atm) to the LAN interface and now since I have dhcp enabled on the lan interface, anything plugged into that switch that is configured to automatically get an IP will in fact get one right?
Also, will pfSense still be able to monitor what devices are connected (since everything is going from the switch and then to lan)?
-
Yes, as long as the router really is only switching.
pfSense will know which devices have which IP addresses and hence what is connecting to outside addresses. It will not have any knowledge of traffic between devices on the switch.Steve
-
Yes, as long as the router really is only switching.
pfSense will know which devices have which IP addresses and hence what is connecting to outside addresses. It will not have any knowledge of traffic between devices on the switch.Steve
alright sounds good. Don't know if you can give me a hand with this but I have hooked up a server/computer I have to the switch (remember switch is connected to LAN interface) and I want to establish a link with the internal ip and external IP, so I will have to do a 1:1 NAT. I did one and I also made a rule on the firewall on the wan interface to allow traffic from Port 443 (testing purpoes) on my internal IP but when I type my external IP into the address bar from another computer nothing will load. I will post screenshot in a few seconds.
-
Why did you put a destination in your 1:1? Did you read the text?
 -
Do you need all ports NAT'd to the server? You should probably use a single port forward, for testing at least, instead.
However if you do want 1:1 NAT it should be on the WAN interface and the 'destination' should be left as 'any'.
Since your pfSense box is behind the Sonicwall device is it's WAN address a private IP? If so you need to uncheck 'block private networks' in the WAN interface setup.
Lastly you will need to test your port forward from a device on the WAN side of the pfSense box.Steve
-
Why did you put a destination in your 1:1? Did you read the text?
I got confused when reading this lol https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing
EDIT: Actually, if I leave the destination with a * then I am unable to surf the web on that machine. I have to set an IP for the destination if I want to be able to browse the web with 1:1 NAT.
-
Do you need all ports NAT'd to the server? You should probably use a single port forward, for testing at least, instead.
However if you do want 1:1 NAT it should be on the WAN interface and the 'destination' should be left as 'any'.
Since your pfSense box is behind the Sonicwall device is it's WAN address a private IP? If so you need to uncheck 'block private networks' in the WAN interface setup.
Lastly you will need to test your port forward from a device on the WAN side of the pfSense box.Steve
I selected lan instead of wan by accident lol but I don't know whether I should do Port Forward or just 1:1 NAT. I do not want all ports to be opened and the way I am doing it is 1:1 NAT which forwards/allows everything from the external IP to internal IP or something like that right? However because pfsense has a firewall, it is preventing from all ports being accessible to LAN right? So essentially either Port forward of One-to-one nat will do the same thing???
-
Ugh so I thought I got it working but I didn't. I am trying to port forward instead of just doing 1:1 NAT. I can't seem to get it working. Do I need to add a rule to the firewall and I saw in a video someone making a virtual ip alias in pfsense, do I need to one to do one? I'll try and postake a screen shot.
-
This is a sample rule forwarding Minecraft on TCP:25565 (minecraft_server port alias set to 25565) to my os_x_server (host alias defined as 192.168.223.17). Note that I let the NAT configuration create the firewall rule so I don't have to using the filter rule association.
If I wanted the incoming connections to be addressed to anything other than "WAN address" I would have to create a VIP. In this case I don't.
-
This is a sample rule forwarding Minecraft on TCP:25565 (minecraft_server port alias set to 25565) to my os_x_server (host alias defined as 192.168.223.17). Note that I let the NAT configuration create the firewall rule so I don't have to using the filter rule association.
If I wanted the incoming connections to be addressed to anything other than "WAN address" I would have to create a VIP. In this case I don't.
I try following your steps but it doesnt work. I noticed how you said if you wanted incoming connections to be anything other than the WAN address of pfsense you would have to create a virtual ip. So, since the WAN address of my server and pfsense box are different (I want incoming connections for a certain IP and port 80 to go to internal IP). Only thing I dont get like you do isthe NAT association rule.
Ive blocked out my WAN IP in the images for privacy reasons…but I hope its still enough that you can have an idea on what I am doing incorrectly.
-
Looks like it should work to me.
Is the proper Firewall rule on Firewall > Rules > WAN??
Everything configured right on the web server and it has its default gateway set to pfSense?
No software firewall on the web server blocking access from foreign networks?
Web server is actually running and listening on tcp/80?
Not much else to it.
-
Looks like it should work to me.
Is the proper Firewall rule on Firewall > Rules > WAN??
Everything configured right on the web server and it has its default gateway set to pfSense?
No software firewall on the web server blocking access from foreign networks?
Web server is actually running and listening on tcp/80?
Not much else to it.
Well to go back, when I create a Virtual IP (one that will be used to assign to my server) if I type in that IP I am brought to a pfsense page, which isnt what I want. I want to be brought to my web servers page. So I guess I have to remove the virtual IP? As for proper firewall rules, the rule that gets created from making the NAT port forwarding is in the WAN interface. Everything on the server side is correct yet I when I try to access the web server with the external IP nothing loads.
-
try changing the type of virtual IP to proxy arp. that will absolutely prevent any services on the firewall node from binding to it.
