Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridge WAN VIP to Interface Guidance

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 644 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mgbolts
      last edited by mgbolts

      Hi, I would appreciate some guidance before going down the rabbit hole :)

      I need to set up a Cisco router in my network. The router needs to be:
      a) plugged into one of my pfsense appliance NIC ports, b) allocated one of my WAN VIPs and c) be filtered by my firewall.

      My network comprises a dedicated pfsense appliance acting as the gateway, NAT, router, VLANs, OVPN server, firewall etc. Until now I have not needed another router, just some chunky edge switches.

      My internet connection WAN connection comprises a main IP and several VIPs. My pfs firewall appliance has 6 physical NIC ports of which 3 are used (WAN, LAN and DMZ, each allocated an interface). I also have several VLANs with their own allocated interface.

      My objective now is to add a Cisco router behind the pfs firewall but allocate it one of the VIPs. ie. no NAT. I also wish this interface to be subject to its own pfs firewall rules. The router will be used for an entirely new subnet without impacting the existing subnets/VLANs, VIPS etc.

      Based on my research so far, I am guessing the solution is to use a bridge as follows:

      1. Create a new interface ('Cisco') in pfs and allocate one of the unused physical NIC ports - connect this to Cisco Router.
      2. In pfs, create a new bridge interface comprising the WAN + Cisco interfaces, as part of the bridge.
      3. Edit the new bridge interface, and in particular, add the applicable VIP as the static IP4 address.
      4. Edit the tunables (net.link.bridge.pfil_bridge) to allow packet filtering of the bridge interfaces.
      5. Open the firewall as required.

      Have I missed something?
      Will adding the WAN to the bridge effect my other traffic (eg. my other VIPS etc).
      I presume editing the 'tunables' is what gives me the firewall tab to apply rules to the bridge? Or do I just edit the Cisco and or WAN rules as per normal?

      Thanks for your assistance!

      1 Reply Last reply Reply Quote 0
      • M
        mgbolts
        last edited by mgbolts

        OK, some progress but mostly not. The main issue seems to be how to deal with the virtual IP.

        If the applicable VIP is added to pfsense list of VIPs, I get two duplicate hosts in the ARP table, one with the WAN's MAC address, and one with the Cisco router. If I remove the VIP from pfs, I lose both hosts in the ARP table.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          There is no VIP. The address should only exist on the Cisco.

          My internet connection WAN connection comprises a main IP and several VIPs.

          Are the VIPs routed to you or are the just more addresses on the WAN interface network.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M
            mgbolts
            last edited by

            The IP's (1+4 for 5 in total) are all provisioned by the ISP. This is how it was communicated to me (actual IP obscured):

            Yes. The Subnet Mask is as folows:
            Gateway: 203.59.a.bcd = / 255.255.255.255
            IP Range: 203.59.e.fgh/255.255.255.252

            If I allocate the second group as VIPs in pfs, they all show up with the same MAC address (per ARP table on pfs). The cisco router also suddenly provisions the one of same VIPs (x1) in duplicate with a its own mac addresses. It (cisco box) then spits out a warning that two duplicate IPs are on the subnet.

            Its appears that pfs blocks these other IPs unless they are listed as VIPs. This seems odd as the WAN is bridged with the Cisco box so I had presumed it (cisco) would see the broadcasts, but it appears that they are not unless the VIP is listed in pfs. I am wondering whether I need to add another gateway for this Cisco VIP?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              A 255.255.255.252 netmask is only a /30.

              Please send the actual addresses in a chat. That makes zero sense and it's impossible to help you without knowing what they actually are.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.