firewall without NAT
-
@kom
Hi Kom, I understand what you are saying. And indeed I'm not familiar with firewalls and NAT's.
In short the situation. Lighting desk that sends (a lot ) of UDP on port 6454 (artnet, broadcast) and some other UDP on port 9000 (OSC). I would like to split up this traffic with 2 firewall's. So I have 2 UTP cables. One with only the UDP on port 6454 and another with only the UDP on port 9000. -
@olivier-demoustier What network is on WAN, and on LAN? How are these devices (I have no idea what a lighting desk is) connected to pfSense? IS this UDP traffic coming from one client or multiple clients? Why do you want to split that UDP traffic in the first place?
I have to leave until tomorrow so post your answers and maybe someone else can help you with this.
-
@kom
A lighting desk is a console that controls lights for TV/rock shows....
It broadcasts "ARTNET" this is a UDP signal on port 6454. In large show's it reaches up to 80mb/sec. At the same time it receives other controls on port 9000 (called OSC). Sometimes the OSC gets lost by all the broadcast or/and the osc needs to be wireless via WIFI. If we don't split the ARTNET from The OSC, all the artnet slows down the wifi.
In real life it is a bit more complicated and also more different protocols involved. But if the simple setup works, I can adjust further. -
@olivier-demoustier
Does all communication devices have fix IPs or do they use UPnP to connect to the other? -
@viragomann
All fixed IP's -
@olivier-demoustier
I can imagine that you get an asymmetric routing in this setup. If that's the case, it possibly helps to enable sloppy state handling.
You can do this in the firewall rules in the advanced options. -
@viragomann
For the moment, I don't get any UDP packet true the firewall. -
pfSense will route between the WAN and LAN interfaces. Traffic coming into the LAN will be routed out to the WAN as long as firewall rules pass it and a route exists. That could be the default route or between the WAN and LAN subnets directly.
However, you're taking about broadcast traffic that will not be routed. That is always inside one subnet.
What subnets do you have on WAN and LAN?
What IPs are you testing between?
It sounds a lot like you might actually want a bridge here with both interfaces in the same subnet.
Steve
-
@olivier-demoustier if you are trying to isolate traffic by having 2 nics in the lightbox then you need to isolate those IP addresses and use direct IP address rules in your firewall but possibly going to need to use NAT redirects for that
I say this assuming you are trying to isolate one ports traffic through one NIC and the other via the second to stop overloads? -
Some people are still believing that NAT is evil. Just because some people don't like entering their home through a door instead a wide gate. By default a door denies all inbound.
-
If it is broadcast, use only a managed switch with different VLANs, then you got 2 broadcast domains and no interaction betwen this.
One VLAN is used for WiFi and the other dont flod the WiFi anymore. You want now to route betwen this VLANs, you neet different IP Subnets and then you can use an Firewall between.
-
@sundarnet-0
Hi SundarNet, The lighting console has only 1 nic. So all this broadcast ( on port 6454 and 9000) passes in/out 1 nic on that end. This meaning , only 1 IP adress. -
@stephenw10 IP range is 2.x.x.x subnet 255.0.0.0
-
@nocling
I do not think a VLAN will solve this. But I'm more than happy to learn how you would solve this with a VLAN. Can a VLAN read a packet and look if it comes from port 6454 and if so ignore this packet? -
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this. -
If I bridge WAN-LAN, all traffic passes, so the hardware is working. But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luck -
@olivier-demoustier said in firewall without NAT:
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this.If both interfaces of pfSense have to be within a single subnet you have to bridge them, as @stephenw10 already mentioned.
Doing this enables also broadcasts between the devices. Maybe this is what you need. -
Thank you, I tried this, (look at my recent post) but then it just works as a 2port switch. FIREWALL-rules are not working
-
@olivier-demoustier said in firewall without NAT:
But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luckIt should work with these settings. Maybe you have zo kill existing states before testing.
-
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help.