Transparent Bridge & filtering problems…


  • Hi all,

    I'm trying to set up a simple transparent bridge and firewall for several servers with pfSense 1.2.
    I have 3 public IP addresses, say, 123.456.1.2, 123.456.1.3 and 123.456.1.4

    I assign 123.456.1.2 /24 IP address to pfSense's WAN interface, set up the gateway & DNS to resolve properly, bridge the LAN to WAN, use the 123.456.1.2 /24 IP address in the LAN IP address as well (which I believe I'm supposed to do..?)
    Then I enable System->Advanced -> Filtering Bridge and finally I reboot.
    Then I log back in and determine that the pfsense box can access the internet properly.

    Now I assign 123.456.1.3 to server1, and set it's gateway to be 123.456.1.2 (and proper DNS, etc)
    From that server, I can now access the internet due to the pfsense box's default LAN -> any firewall rule.

    But, it also appears to be allowing all traffic back into the 123.456.1.3 IP address–ignoring the fact that I have no WAN rules set up to allow access for it...

    I can sort of restrict it's access by limiting what is allowed to go out from the LAN firewall rules, but that seems a backward way of doing things.. (not to mention less fine control (or at least messier control..))

    So, my question is this:  is pfSense acting as it is supposed to, or am I missing something or have I messed up something?

    TIA!


  • Is this the right area to post it in (since it's not really NATing..)?


  • I don't bridge the LAN to the WAN in my installation, but I have an OPT/DMZ interface that is bridged to the WAN.  All traffic is filtered correctly in my install so it does work correctly in that configuration.  By the way, the LAN won't have an IP address if it is bridged to the WAN.  The interfaces are tied together and share the single IP address, but you shouldn't have to enter it.

    And your gateway should be the gateway in front of the pfSense box as the pfSense firewall isn't routing if you have it bridging so it shouldn't be your gateway (it is just another device on your subnet that just happens to sit inline with all traffic).

    Make sure you have the Filtering Bridge setting turned on in the advanced setup configuration page.

    Ron


  • Hello Ron,

    Thank you for writing back!

    Hmm, I suppose I could in theory install another card into the machine & do DMZ onto that, but it seems kind of a silly long way around the problem..
    The LAN interface does require that an IP address is listed there, so I can't just take it out.

    If I understand correctly what you're saying, on the servers, I should enter a gateway address of 123.456.1.1 (rather than the pfsense's IP of 123.456.1.2 ?)
    If that's the case, shouldn't all traffic simply bypass the pfsense box entirely (since they are all on the same network) and be completely not filtered?  My testing seems to confirm this.

    I do have the filtering bridge enabled on the Advanced page, but the system doesn't act any differently (eg, with it un-checked, I can still block by blocking the destination on the LAN side, but not by blocking the source on the WAN side)

    Is pfsense not meant to do this WAN-LAN bridging?

    thanks again!


  • The idea of a filtering brigde is, that everything is on the same subnet.
    But as you write it, it sounds a bit as if your next hop (123.456.1.1) is on the same physical subnet as your LAN?

    the pfSense filtering bridge has the be between your LAN and your next hop.

    clients
              |
              |
              |
          pfSense
              |
              |
              |
          routerX

    Your clients have as gateway routerX.
    They should not even be aware that the pfSense box is there.


  • Yes, they are on the same physical network (as well as the same subnet).

    It sounds like you agree with Ron that I need to set the gateways to 123.455.1.1 for all the servers & then physically separate the servers from the .1.1 gateway?  (and they will just find a way to go through the pfsense transparent filewall?)

    I just assumed that they would have to set it as their gateway..yikes!  (sorry, first time setting up a transparent bridge this way..)

    If that is indeed the case, I will schedule a time to go & set it up that way!


  • As the name of the transparent firewall says: it's transparent –> nobody knows it's there.
    The IP you have on the pfSense is only to manage it.


  • @GruensFroeschli:

    As the name of the transparent firewall says: it's transparent…

    Yeah, I've been thinking about that and it's been making a lot more sense..
    Sorry about the confusion!


  • So, I changed physical networks over, and things didn't seem to go as smoothly as I had hoped.

    when I physically separated the servers from the real .1.1 gateway, things appeared to work.
    I had set up individual firewall rules for each server to pass all packets in the WAN & out the LAN, and I could ping them from the rest of the world.
    However, they could not ping out. (or pass any traffic out)

    However, if I change their gateways to be the pfsense box (.1.2) then they can pass packets out & things appear to be properly filtered coming in.

    am I just crazy? :-)

    Thank you!