firewall without NAT
-
@olivier-demoustier
Does all communication devices have fix IPs or do they use UPnP to connect to the other? -
@viragomann
All fixed IP's -
@olivier-demoustier
I can imagine that you get an asymmetric routing in this setup. If that's the case, it possibly helps to enable sloppy state handling.
You can do this in the firewall rules in the advanced options. -
@viragomann
For the moment, I don't get any UDP packet true the firewall. -
pfSense will route between the WAN and LAN interfaces. Traffic coming into the LAN will be routed out to the WAN as long as firewall rules pass it and a route exists. That could be the default route or between the WAN and LAN subnets directly.
However, you're taking about broadcast traffic that will not be routed. That is always inside one subnet.
What subnets do you have on WAN and LAN?
What IPs are you testing between?
It sounds a lot like you might actually want a bridge here with both interfaces in the same subnet.
Steve
-
@olivier-demoustier if you are trying to isolate traffic by having 2 nics in the lightbox then you need to isolate those IP addresses and use direct IP address rules in your firewall but possibly going to need to use NAT redirects for that
I say this assuming you are trying to isolate one ports traffic through one NIC and the other via the second to stop overloads? -
Some people are still believing that NAT is evil. Just because some people don't like entering their home through a door instead a wide gate. By default a door denies all inbound.
-
If it is broadcast, use only a managed switch with different VLANs, then you got 2 broadcast domains and no interaction betwen this.
One VLAN is used for WiFi and the other dont flod the WiFi anymore. You want now to route betwen this VLANs, you neet different IP Subnets and then you can use an Firewall between.
-
@sundarnet-0
Hi SundarNet, The lighting console has only 1 nic. So all this broadcast ( on port 6454 and 9000) passes in/out 1 nic on that end. This meaning , only 1 IP adress. -
@stephenw10 IP range is 2.x.x.x subnet 255.0.0.0
-
@nocling
I do not think a VLAN will solve this. But I'm more than happy to learn how you would solve this with a VLAN. Can a VLAN read a packet and look if it comes from port 6454 and if so ignore this packet? -
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this. -
If I bridge WAN-LAN, all traffic passes, so the hardware is working. But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luck -
@olivier-demoustier said in firewall without NAT:
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this.If both interfaces of pfSense have to be within a single subnet you have to bridge them, as @stephenw10 already mentioned.
Doing this enables also broadcasts between the devices. Maybe this is what you need. -
Thank you, I tried this, (look at my recent post) but then it just works as a 2port switch. FIREWALL-rules are not working
-
@olivier-demoustier said in firewall without NAT:
But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luckIt should work with these settings. Maybe you have zo kill existing states before testing.
-
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help. -
@olivier-demoustier said in firewall without NAT:
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help.Happy for you. Don't forget to enable the auto start for all vlan bridges.
-
@akegec
mmm, don't know what you are saying. I don't use any VLANs. Or is a bridge some kind of VLAN? -
You need to set the filtering sysctls before you create the bridge. So if you change them afterwards you need to re-create the bridge. A reboot does that.
Steve
