Bridge WAN VIP to Interface Guidance



  • Hi, I would appreciate some guidance before going down the rabbit hole :)

    I need to set up a Cisco router in my network. The router needs to be:
    a) plugged into one of my pfsense appliance NIC ports, b) allocated one of my WAN VIPs and c) be filtered by my firewall.

    My network comprises a dedicated pfsense appliance acting as the gateway, NAT, router, VLANs, OVPN server, firewall etc. Until now I have not needed another router, just some chunky edge switches.

    My internet connection WAN connection comprises a main IP and several VIPs. My pfs firewall appliance has 6 physical NIC ports of which 3 are used (WAN, LAN and DMZ, each allocated an interface). I also have several VLANs with their own allocated interface.

    My objective now is to add a Cisco router behind the pfs firewall but allocate it one of the VIPs. ie. no NAT. I also wish this interface to be subject to its own pfs firewall rules. The router will be used for an entirely new subnet without impacting the existing subnets/VLANs, VIPS etc.

    Based on my research so far, I am guessing the solution is to use a bridge as follows:

    1. Create a new interface ('Cisco') in pfs and allocate one of the unused physical NIC ports - connect this to Cisco Router.
    2. In pfs, create a new bridge interface comprising the WAN + Cisco interfaces, as part of the bridge.
    3. Edit the new bridge interface, and in particular, add the applicable VIP as the static IP4 address.
    4. Edit the tunables (net.link.bridge.pfil_bridge) to allow packet filtering of the bridge interfaces.
    5. Open the firewall as required.

    Have I missed something?
    Will adding the WAN to the bridge effect my other traffic (eg. my other VIPS etc).
    I presume editing the 'tunables' is what gives me the firewall tab to apply rules to the bridge? Or do I just edit the Cisco and or WAN rules as per normal?

    Thanks for your assistance!



  • OK, some progress but mostly not. The main issue seems to be how to deal with the virtual IP.

    If the applicable VIP is added to pfsense list of VIPs, I get two duplicate hosts in the ARP table, one with the WAN's MAC address, and one with the Cisco router. If I remove the VIP from pfs, I lose both hosts in the ARP table.


  • LAYER 8 Netgate

    There is no VIP. The address should only exist on the Cisco.

    My internet connection WAN connection comprises a main IP and several VIPs.

    Are the VIPs routed to you or are the just more addresses on the WAN interface network.



  • The IP's (1+4 for 5 in total) are all provisioned by the ISP. This is how it was communicated to me (actual IP obscured):

    Yes. The Subnet Mask is as folows:
    Gateway: 203.59.a.bcd = / 255.255.255.255
    IP Range: 203.59.e.fgh/255.255.255.252

    If I allocate the second group as VIPs in pfs, they all show up with the same MAC address (per ARP table on pfs). The cisco router also suddenly provisions the one of same VIPs (x1) in duplicate with a its own mac addresses. It (cisco box) then spits out a warning that two duplicate IPs are on the subnet.

    Its appears that pfs blocks these other IPs unless they are listed as VIPs. This seems odd as the WAN is bridged with the Cisco box so I had presumed it (cisco) would see the broadcasts, but it appears that they are not unless the VIP is listed in pfs. I am wondering whether I need to add another gateway for this Cisco VIP?


  • LAYER 8 Netgate

    A 255.255.255.252 netmask is only a /30.

    Please send the actual addresses in a chat. That makes zero sense and it's impossible to help you without knowing what they actually are.


Log in to reply