Features disabled during bridge mode?



  • I am interested in running pfsense in bridge mode (I think it is known as transparent firewall also).  What pfsense features will not work or cannot be enabled?

    I understand this is a broad question, since I am still learning about firewall.  I see a typical NAT router/firewall as a known MITM to the LAN clients.  As for bridge mode, the transparent firewall tries to be invisible to the LAN clients which limits its abilities. Thank you.

    Should this question be in firewall category or general?


  • Rebel Alliance Global Moderator

    "I see a typical NAT router/firewall as a known MITM to the LAN clients."

    Huh?? So what is going to be doing your nat?  Or all your devices going to have public IPs?



  • ^^^^
    You don't use NAT on IPv6, so this is a perfectly normal situation.  Separate bridging firewalls are often used in business applications.  They just filter traffic, without providing a routing or NAT function.


  • Rebel Alliance Global Moderator

    Where did the OP say anything about IPv6???



  • ^^^^
    I was referring not so much to IPv6, but to the fact that a) NAT is often not used and b) firewalls are often used in bridge mode.  Without knowing the context, we don't know enough about what he's doing.

    Incidentally, I talk with a lot of people about networks.  Many have their minds poisoned with the idea that NAT is always used.  They've long since forgotten or never new that it's purpose was to get around the IPv4 address shortage and now think it's normal for all networking.

    Bottom line, never assume NAT will be used, even on IPv4.  As the world moves to IPv6, we can eventually get rid of that hack.


  • Rebel Alliance Global Moderator

    Agreed.. Clearly this user from the context is not a advanced user ;)  Sorry no offense OP..

    And while I am with you 100 percent that nat is a hack that love to see go away, you are more than likely going to route.. So that is not bridging either - even with IPv6..  While agreed missing quite a bit of information for what the OP is wanting to actually accomplish..

    I been in the field lot of years, support a lot of different companies networks.  Transparent firewall not seen so much to be honest.. IDS/IPS sure.

    Seems more to me this user heard some new buzz word, transparent firewall and has questions.  And without some more info, kind of hard to pick a direction to discuss.



  • OP here.  Yes, I have no experience with pfSense, only with basic home routers.

    I plan to buy/build a pfsense HW box.  The goal is to insert it into my network for learning and dabbling without having to reconfigure other devices on my network.  I understand I can consider double NAT would accomplish the same thing.

    Before=
      Comcast cable-modem (bridge mode) – wifi-router (NAT) -- multiple PCs

    After1=
      Comcast cable-modem (bridge mode) -- wifi-router (NAT) -- pfSense HW (bridge mode) -- one PC (under inspection/ or test environment)

    After2=
      Comcast cable-modem (bridge mode) -- pfSense HW (bridge mode) -- wifi-router (NAT) -- multiple PCs

    I plan to keep After2 up for about 30 days, maybe I will take it down if I set it up unstable.  I want to use the pfSense HW as more a diagnostic or inspection tool which can be inserted into the home network at will and remove at will without need to reconfigure other devices.



  • If you can make After3 like After2 but with a few modifications it would be the optimal solution:

    Comcast cable-modem (bridge mode) – pfSense HW (routing mode+NAT) -- wifi-router (AP mode, no routing, no NAT) -- multiple PCs



  • hi kpa,

    In reference to After3, I prefer to keep the configuration of wifi-router unaltered, as routing mode, not AP.  The After3 solution has been offered multiple times, but it doesn't offer seamless testing/filtering on network after the cable-modem.

    If all valid options are to set wifi-router to AP mode, I think I would be better served by using a managed switch in place of the pfSense HW in After2, then use a mirror port of the traffic passing in/out to the wifi-router (in routing mode).



  • I run 2 pfsense boxes is bridge mode. A s far as I know traffic shaping won't work when bridging. There's also issues with tranarent proxy.
    You'll also have to explicitly setup a rule to allow DHCP traffic over the bridge.

    The reason i use a bridge or transparent firewall is that I'm unable to replace the ISP provided router.

    I have also worked with Cisco ASA previously. ASA's can be configured in 'routed' and 'transparent' mode, too. Here the "routed" mode works for the essentials and gets you online with an ISP, but functions such as DHCP reservations or DDNs updates won't work…

    My personal experience is that pfSense has some limitations in bridge-mode - or more precisely some packages have limitations.

    Cisco ASA's have limitations in routed mode.

    I ended up with pfSense (2220, 2440 & 4860) because even in bridged mode I could achieve most of what I needed..



  • I have no knowledge on the subject, but I would find it strange that you can't shape in bridge mode. This would make sense if stateful-firewalling was disabled, because you NEED states to track to which queue a packet belongs, but you can still do firewalling while in bridge mode.



  • Traffic shaping doesn't work when applied to a bridge interface

    https://redmine.pfsense.org/issues/4405