pfsense disabling firewall for one specific ip



  • I need to configure one machine so it doesnt use my FIREWALL , and instead of assigning 192.168.1.x to my machine can I define public ip address to that machine, if yes then how you think i can setup pfsense to allow access so it doesn't use any firewall, just open traffic



  • Get a switch.
    Plug the WAN cable into it instead of pfSense.
    Connect pfSense and the specific machine to the switch.



  • Thanks but I was hoping to see if that's doable within pfsense to just simply bypass all firewall even with 192.168.1.x ip



  • Yes, it's also possible to allow anything. But if you want to use a public IP on that machine which is part of a the WAN's subnet, you cannot connect that machine to your LAN.
    You may connect it to a separate interface and bridge it to WAN. This way you are still able to control access if you want.



  • Could you please guide me how I can use that virtual IP so it can bypass the firewall completely any incoming and outgoing traffic must on that machine must bypass firewall.



  • If you want to keep it behind pfSense why don't you want to go with NAT?
    If the machine should get a public IP and bypass the firewall, why don't you connect it to WAN?

    Do you have multiple public IPs or a public subnet?



  • I am using vmware, and my concern is if I setup dedicated machine to go on with WAN, it's another hardware I've to worry about, instead just use vmware and setup the VM to just bypass the firewall, as I dont like firewall on VOIP, it will work fine one day next day there's some voice issue or some other crap.



  • And your pfSense is also a VM or is it dedicated?



  • pfsense is dedicated machine, as I dont like vm firewall just my thing



  • You're making life difficult for yourself with some of your choices. If you had pfSense virtualized, this would be simple.

    As far as I know, you can enable or disable pf entirely, but not selectively.



  • So you want to make an internal machine accessible from the internet and bypassing all firewall rules?
    Consider that this is a potentially security risk.

    A bit more secure is to set up vLAN between pfSense and ESXi and connect that VM exclusively to that vLAN. However, I don't know, how to set this up in ESXi. I had it already done on Linux with KVM, that's working fine.


  • LAYER 8 Global Moderator

    @viragomann said in pfsense disabling firewall for one specific ip:

    Do you have multiple public IPs or a public subnet?

    You have not answered the most important question asked!! If you do not have more than 1 public IP what your asking is just not possible.

    If you want to to expose some box to the internet, then just use 1:1 nat and there you go - done!



  • At this point, we're not even clear on what problem he's really trying to solve. No big picture.


  • LAYER 8 Global Moderator

    I doubt he even knows what he is trying to do - make no sense.. and is utterly pointless in the big picture. Unless some public netblock is routed to you. trying to expose box A to the public internet with a public IP.

    Exposing any host in any situation to the public internet is a mistake anyway. Atleast if "routed" you could still firewall it behind pfsense, etc. 1:1 nat you can firewall it as well..

    But unless he can explain the reasoning behind this - just put it on a rfc1918 address and port forward the traffic you need = DONE!



  • @johnpoz I've a block of 50



  • OK good. That's a start. Now what are you trying to accomplish that requires what you are describing?


  • LAYER 8 Global Moderator

    You have a block of 50 IPs?? so part of a /26? Seems ODD number to give someone... And with such an odd number its not actually routed to you... So your just attached.

    If that is the case then the solution of a switch and putting the box in front of pfsense is your best solution.

    I would just use the IPs you want out of your 50 as VIPs and do 1:1 NAT to boxes behind that you want all traffic to go to.



  • @johnpoz I've multiple public IP's, I just need one local ip which I setup as ONE TO ONE NAT to bypass my firewall, I appreciate all your quick responses but it seems like it's a joke to some people, I am switching from FortiGate 900D



  • It's not a joke but we can't figure out why you insist on doing it that way, and you refuse to explain what you're trying to do despite several requests.


  • LAYER 8 Global Moderator

    @sbwcws said in pfsense disabling firewall for one specific ip:

    ONE TO ONE NAT to bypass my firewall,

    Then create an any any firewall rule - its that simple.. there will be nothing blocked.. Just natted.

    If you don't want it natted at all - then connect the device in front of your pfsense and give it your public IP..

    But I am with KOM here - you have not provide any info at all to why anyone would want/need to do such a thing. So to be honest it doesn't even peak my interest enough to think through how could be possible, if at all.. You could always get support direct from netgate/pfsense - with such a large deployment and moving away from fortigate sounds like enterprise level shit, have to assume you have a support contract with netgate ;)

    You might be able to do some hackery shit with a bridge, etc. But yeah it would be messy!



  • Thanks consider this resolved.



  • 20 replies later and we still don't know what the original problem was, nor the solution used.



  • @KOM You might need to scroll up..



  • @johnpoz said in pfsense disabling firewall for one specific ip:

    @sbwcws said in pfsense disabling firewall for one specific ip:

    ONE TO ONE NAT to bypass my firewall,

    Then create an any any firewall rule - its that simple.. there will be nothing blocked.. Just natted.

    If you don't want it natted at all - then connect the device in front of your pfsense and give it your public IP..

    But I am with KOM here - you have not provide any info at all to why anyone would want/need to do such a thing. So to be honest it doesn't even peak my interest enough to think through how could be possible, if at all.. You could always get support direct from netgate/pfsense - with such a large deployment and moving away from fortigate sounds like enterprise level shit, have to assume you have a support contract with netgate ;)

    You might be able to do some hackery shit with a bridge, etc. But yeah it would be messy!

    Thanks



  • @viragomann said in pfsense disabling firewall for one specific ip:

    If you want to keep it behind pfSense why don't you want to go with NAT?
    If the machine should get a public IP and bypass the firewall, why don't you connect it to WAN?

    Do you have multiple public IPs or a public subnet?

    Thanks


Log in to reply