Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN\DMZ Bridging ARP Issue

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edinburgh1874
      last edited by

      Hi All,
      We've taken over a network with a very old Linux installation running on some even older hardware, and I'm looking to migrate it to PFSense.

      The network setup is rather strange, it's configured as per the attached diagram

      ETH0 - WAN - public IP a.a.a.1/32 -> Cisco Router a.a.a.2/24
      ETH1 - DMZ - public IP a.a.a.1/24 -> Servers with a.a.a.a/24 public addresses
      ETH2 - LAN 192.168.0.0/23

      This allows LAN access to WAN and DMZ address, and internet clients access to the DMZ servers.

      PFSense will not allow you to have the same IP address on multiple NICs, so we configured a bridge with WAN/DMZ (a.a.a.1/24)

      This works temporarily, however after a few minutes the DMZ servers arp cache will start showing the WAN as the default gateway (a.a.a.1) instead of the DMZ arp.

      Setting a static ARP entry on the servers fixes this, but this will be troublesome to setup on 100+ servers.

      Can anyone think of a way of getting round this? I'm also confused as to how the /32 address works on the WAN interface, but that's a different matter!

      network.JPG
      network.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        if you bridge the WAN and the DMZ interfaces you're supposed to use the default gateway of the WAN network as the default gateway on the DMZ hosts. Also, do not assign any address on the DMZ interface, it's not needed and might even be harmful.

        You need to think the bridge as a switch that just happens to do IP level packet inspection and filtering as well.

        1 Reply Last reply Reply Quote 0
        • E
          edinburgh1874
          last edited by

          Apologies, the diagram shows the existing iptables setup - both eth0/1 have the same address but different subnet masks.

          On creating the bridge in PFSense, we haven't assigned an IP address to the DMZ NIC.

          We are using the WAN address as the DMZ host's default gateway

          Edit : Maybe I should set the DMZ host's default gw to the Cisco box - let me try this

          1 Reply Last reply Reply Quote 0
          • E
            edinburgh1874
            last edited by

            Hmm…that doesn't work for us as the DMZ clients aren't able to access the LAN hosts (due to no route back on the Cisco).

            I suppose this isn't a "real" DMZ, but hosts with a public address, filtered by the firewall - there are also dependancies like AD servers/DNS on the LAN

            Can anyone think of a way to stop the hosts getting the ARP address of the WAN interface, apart from a static ARP entry on each host?

            I realise this isn't really best practice, but the network has been built up this way over 10 years and I can't change all of the hosts due to external dependencies.

            1 Reply Last reply Reply Quote 0
            • A
              atran
              last edited by

              i though it was fixed…

              https://redmine.pfsense.org/issues/729
              (if_bridge unpredictable filter interface selection)

              but i'm running 2.2.1 now and the problem is stil NOT fixed in pf_bridge?!

              we also have to use the WAN ip as the gateway for DMZ hosts,
              does annyone have a solution for this?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.