Transparent Firewall
-
Hello,
I seem to be unable to get my pfSense box to successfully act as a transparent firewall. I use a system called UniFi by Ubiquiti Networks, I have their security gateway installed that acts as our main router. I am trying to set up a VirtualBox pfSense install to run as a firewall with schedules while leaving DHCP and the deep packet inspection working on the UniFi box. I bridge directly to physical interfaces on the server and I can make it function fully as a second router, but as soon as I bridge the WAN and LAN interface there is no internet access on the LAN side. However the pfSense dashboard is still able to scan for updates. I looks like the DHCP is been blocked, but on every interface I have an allow all rules.
I have tried the following guides to no success, plus I found a few others that are like these that also failed..
http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf
https://forum.pfsense.org/index.php?topic=50711.0
any one able to assist. The setup I require is as follows
–-> Modem to WWW ---> UniFi Gateway ---> pfSense ---> UniFi Switch ---> AP's/Client PC's
| DHCP, DPI, ETC | |Firewall|I know it may not seem clear what I am asking but please ask me any questions and I will provide any other information. We need this up and running as soon as possible.
Thanks in advance
-
Okay update, I have try all the following with no success. I know some of them are not 100% relevant but they were worth a try. Please help me.
http://pfsense.trendchiller.com/transparent_firewall.pdf
https://forum.pfsense.org/index.php?topic=50711.0
http://people.pharmacy.purdue.edu/~tarrh/Transparent%20Firewall-Filtering%20Bridge%20-%20pfSense%202.0.2%20By%20William%20Tarrh.pdf
http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/
https://forum.pfsense.org/index.php/topic,20917.0.html
http://glua.ua.pt/mirrors/distro/pfsense/tutorials/transparent_firewall/transparent_firewall.pdf
http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet
https://forum.pfsense.org/index.php?topic=76138.0
http://magiksys.blogspot.co.uk/2012/12/pfsense-bridge-gateway-vmware-ovh-ip.html
https://forum.pfsense.org/index.php?topic=75545.0 -
Can you confirm these advanced system tunables:
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1Remove all FW rules on the bridge members and serup you FW on the Bridge IF.
For testing put an Allow-Any-Any rule on the Bridge IF.I ran a pfSense Bridge under ESXi. From memory I had to put the Port Groups or vSwitch into promiscous mode.
Also disable the DHCP servers on all pfSense Interfaces.
Once your bridge is working you can implement more restrictive FW rules. E.g. For DHCP to work you have to:
Allow UDP any-any ports 67-68 -
Hello,
I have today managed to get this working, I will put together a step by step guide on what I did as I set up a test run. I believe the main challenge I encountered was more to do with VirtualBox, the Host Only interface was not disabling its settings and allowing data to pass over. I tested it by setting up a virtual network and creating a VM ubuntu desktop install this seemed to work. I will be setting this up over the weekend to fully test before implementing in production.
Thank you for your reply but I had indeed setup all of these rules and settings this is what was so frustrating.
-
Hello,
Did you ever finish your step-by-step guide? I am wanting to build a transparent firewall to use at my house, but all the documentation, that I have found, is rather old.Thanks!
Jon -
I as well am looking for a guide how to set up the pfsense as a completely transparent firewall between my modem and router ideally (or router and switch less ideally)
The guides listed above dont agree on some things, like which interfaces to bridge