transparent bridge firewall with seperate management-port

  • Hello everybody,

    I'm currently trying to secure some servers in a small server room from the rest of the LAN with pfSense via a transparent firewall. The firewall itself should have an extra MGMT port, which is connected to the switch "behind" the firewall and is secured by itself:

    Bild Text

    The IP network in front of and behind the firewall is the same. The firewall WAN and LAN ports have been configured as a bridge, both have no IP assigned.
    The MGMT port of the firewall has an IP of the local LAN.

    First question is if this configuration is possible at all?
    I think the switch behind the firewall does not like the constellation. Unfortunately, I have no access to the management of the switch and can not control anything, but I would currently suspect that there is a loop between the bridge-LAN-port and the MGMT port.

    Thank you very much for your help!

  • What device are you running pfsense on?

    "The firewall itself should have an extra MGMT port, which is connected to the switch "behind" the firewall and is secured by itself" - I don't understand this part. How is it connected?

  • Unless you can get management rights to the switch and the switch is VLAN capable I don't see how you could achieve what you want.

    I would just dedicate a NIC (what you now have as default LAN would be a good choice, move your bridge to be between WAN and OPT1) to the MGMT network and leave it unconnected anywhere in your systems, plug in a laptop or whatever when you need to administer your pfSense.

  • Rebel Alliance Developer Netgate

    The best solution is for your management address to be on a different network than anything touching the bridge (different L2, different subnet).

    If you must have it the way you describe, then your LAN, WAN, and MGMT interfaces would all be part of the bridge and MGMT should actually be the bridge0 interface and not a separate physical port. There is no need for a separate port if it's on the same network as the bridge, and you'd actually be making an L2 loop of sorts by doing so.

  • Hi,
    thx for your replies so far!
    @gboone the Firewall will probably run on an one U server with a Xeon E5-2637 and 16 GB of RAM;

    @kpa a special VLAN or similar for the MGMT interface is unfortunately not possible; furthermore should the MGMT be accessible all the time from the Offie-LAN;

    @jimp sadly I think I did produce the L2 loop which caused a lot of trouble with my network admin :/

    the goal should be a complete transparent firewall between the Office- and the Server-Room-LAN with filtering rules;
    furthermore should the firewall be manageable from the Office-LAN all the time;
    I don`t need the MGMT-Interface necessarily wether I anyway can manage the firewall from the Office-LAN
    I think the main problem is that on both sides of the firewall I have the same VLAN and IP-Network which I'm not able to change...

  • pfSense might be able to do what you're asking... but IMHO, the real solution is to buy a managed switch and apply ACL to each port connected to the server closet. I don't think it's possible to do what you're asking unless you can manage the server closet switch.

    If you're willing to put all the server room machines into a different IP subnet, a large number of options will open up to solving your problem.

  • If I wanted to realize a transparent firewall with pfSense, what is the "regular" way to do this? Without the MGMT-Port in the example above.

    I "merge" the WAN- and LAN-Port without any IP-Adresses into a bridge-port and set up the firewall-rules for this bridge.
    So the two networks with the same IP-Subnets should be separated and access should be filtered by the firewall-rules.
    But how do I connect to the management section of the firewall in this szenario?