Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent bridge (as firewall) are not working

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    2 Posts 1 Posters 422 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darwick
      last edited by darwick

      Hello,

      I'm a bit stuck, that would be great if somebody could help me. So my setup is: ESXi server, where I have a vswitch0 for external network (public IP addresses) and a vswitch1 for segmented network (also with the same public IP addresses, but after a few the packet goes through in pfsense) The purpose will be to filter some packets from the external network to the segmented (act as transparent firewall)
      So, the pfSense VM has 3 interfaces: vmx0 (WAN from vswitch0) vmx1 (LAN from vswitch1) and vmx2 (local IP address for management purposes)

      I have done the fellowing:

      • Set WAN and LAN IP addresses to 'none' in Interfaces
      • Created a bridge with WAN and LAN and renamed it to BRIDGE in interfaces
      • Enabled the BRIDGE interface and gave an external IP, then gave a gateway and made it default (it is the router's IP of course) in Interfaces.
      • Disabled outgoing NAT completly in firewall, NAT
      • Set net.link.bridge.pfil_bridge to 1 and net.link.bridge.pfil_member to 0
      • Created a pass rule any any on wan, lan, bridge, mgmt
      • Completly disabled the firewall for testing (in shell, pfctl -d)

      The problem is that the Bridge's IP address can't be pinged, accessed in any way. In the firewall logs, I don't see any special thing (but because I disabled it for testing purposes, I will not see any) and if I make packet capture in bridge0 I just see some ARP requests, nothing more.

      I can also access my router's ARP table and I don't see the pfSense's external IP in there. Also, in pfSense the default gateway is unreachable, but some reason it's ARP table I can see the router's IP and MAC there.

      My pfSense version is 2.4.5-RELEASE-p1

      Anyone could help me please figure it out what am I doing wrong?

      As far as I can remember, the older versions of pfSense made the same setup great.

      1 Reply Last reply Reply Quote 0
      • D
        darwick
        last edited by

        Okey, I found the problem. Actually, it was because the vswitch has some rejected policyes by default. On a Standard/Distributed vSwitch's port groups (which you would like to bridge) set up "MAC address changes" and "Forged transmits" to Accept in the security settings. Then the bridge interface will work.
        This should be a reminder who has the same problem in the VMWare environment.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.