Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Features disabled during bridge mode?

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 6 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott
      last edited by

      ^^^^
      You don't use NAT on IPv6, so this is a perfectly normal situation.  Separate bridging firewalls are often used in business applications.  They just filter traffic, without providing a routing or NAT function.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Where did the OP say anything about IPv6???

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott
          last edited by

          ^^^^
          I was referring not so much to IPv6, but to the fact that a) NAT is often not used and b) firewalls are often used in bridge mode.  Without knowing the context, we don't know enough about what he's doing.

          Incidentally, I talk with a lot of people about networks.  Many have their minds poisoned with the idea that NAT is always used.  They've long since forgotten or never new that it's purpose was to get around the IPv4 address shortage and now think it's normal for all networking.

          Bottom line, never assume NAT will be used, even on IPv4.  As the world moves to IPv6, we can eventually get rid of that hack.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Agreed.. Clearly this user from the context is not a advanced user ;)  Sorry no offense OP..

            And while I am with you 100 percent that nat is a hack that love to see go away, you are more than likely going to route.. So that is not bridging either - even with IPv6..  While agreed missing quite a bit of information for what the OP is wanting to actually accomplish..

            I been in the field lot of years, support a lot of different companies networks.  Transparent firewall not seen so much to be honest.. IDS/IPS sure.

            Seems more to me this user heard some new buzz word, transparent firewall and has questions.  And without some more info, kind of hard to pick a direction to discuss.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N Offline
              newbie16
              last edited by

              OP here.  Yes, I have no experience with pfSense, only with basic home routers.

              I plan to buy/build a pfsense HW box.  The goal is to insert it into my network for learning and dabbling without having to reconfigure other devices on my network.  I understand I can consider double NAT would accomplish the same thing.

              Before=
                Comcast cable-modem (bridge mode) – wifi-router (NAT) -- multiple PCs

              After1=
                Comcast cable-modem (bridge mode) -- wifi-router (NAT) -- pfSense HW (bridge mode) -- one PC (under inspection/ or test environment)

              After2=
                Comcast cable-modem (bridge mode) -- pfSense HW (bridge mode) -- wifi-router (NAT) -- multiple PCs

              I plan to keep After2 up for about 30 days, maybe I will take it down if I set it up unstable.  I want to use the pfSense HW as more a diagnostic or inspection tool which can be inserted into the home network at will and remove at will without need to reconfigure other devices.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kpa
                last edited by

                If you can make After3 like After2 but with a few modifications it would be the optimal solution:

                Comcast cable-modem (bridge mode) – pfSense HW (routing mode+NAT) -- wifi-router (AP mode, no routing, no NAT) -- multiple PCs

                1 Reply Last reply Reply Quote 0
                • N Offline
                  newbie16
                  last edited by

                  hi kpa,

                  In reference to After3, I prefer to keep the configuration of wifi-router unaltered, as routing mode, not AP.  The After3 solution has been offered multiple times, but it doesn't offer seamless testing/filtering on network after the cable-modem.

                  If all valid options are to set wifi-router to AP mode, I think I would be better served by using a managed switch in place of the pfSense HW in After2, then use a mirror port of the traffic passing in/out to the wifi-router (in routing mode).

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    gcu_greyarea
                    last edited by

                    I run 2 pfsense boxes is bridge mode. A s far as I know traffic shaping won't work when bridging. There's also issues with tranarent proxy.
                    You'll also have to explicitly setup a rule to allow DHCP traffic over the bridge.

                    The reason i use a bridge or transparent firewall is that I'm unable to replace the ISP provided router.

                    I have also worked with Cisco ASA previously. ASA's can be configured in 'routed' and 'transparent' mode, too. Here the "routed" mode works for the essentials and gets you online with an ISP, but functions such as DHCP reservations or DDNs updates won't work…

                    My personal experience is that pfSense has some limitations in bridge-mode - or more precisely some packages have limitations.

                    Cisco ASA's have limitations in routed mode.

                    I ended up with pfSense (2220, 2440 & 4860) because even in bridged mode I could achieve most of what I needed..

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      Harvy66
                      last edited by

                      I have no knowledge on the subject, but I would find it strange that you can't shape in bridge mode. This would make sense if stateful-firewalling was disabled, because you NEED states to track to which queue a packet belongs, but you can still do firewalling while in bridge mode.

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        gcu_greyarea
                        last edited by

                        Traffic shaping doesn't work when applied to a bridge interface

                        https://redmine.pfsense.org/issues/4405

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.