Simple transparent bridge between WAN and LAN, how?



  • My pfSense firewall machine has only two ethernet ports, one WAN and one LAN. The WAN side is connected to a Comcast routing modem with an internal DHCP server that serves IPs in 10.1.10.0/24, which in turn is connected to the public Internet. I have installed the basic routing pfSense configuration, which is working, and have enabled administrative (web configurator) access from the WAN side. Currently the WAN side gets its IP via DHCP from the Comcast router, and I would prefer to keep that and not assign one of my limited pool of static IPs (only 5 available) to the firewall.

    I need to configure the firewall as a bridge so that hosts with static IPs on the LAN side (web / reflector server, Bugzilla server) are visible on the WAN side, subject to the firewall filtering rules.

    I have spent a few days searching the Internet for answers. Everything I have seen describes configuring multiple LAN ports as a bridge to build a LAN switch, which isn't what I need. The only real thing I need is that the hosts on the LAN side with static IPs are visible on the WAN side subject to the firewall filtering rules. I have followed all the instructions for creating a bridge with LAN and WAN members, configuring, and enabling it. I have been unable to get those LAN-side static IPs to be visible on the WAN side.

    I would expect that workstations on the LAN side who get their IPs via DHCP would reach through the firewall and get their IPs from the Comcast router, but even that isn't necessary; if the workstations get their IPs from pfSense that's OK too. I just need those static IPs to be visible.

    Can anyone provide some pointers to some documentation that describes how to do that, that I haven't been able to find? As I said everything I've seen so far describes building a switch out of multiple LAN ports which isn't what I need.

    Thanks...



  • A lot to unpack here.

    It seems unusual that you've got public IPs from Comcast but they're not routing them to you and instead you have this NATing router. You don't want it doing NAT -- you want the modem bridged to your WAN.

    I need to configure the firewall as a bridge so that hosts with static IPs on the LAN side (web / reflector server, Bugzilla server) are visible on the WAN side, subject to the firewall filtering rules.

    Is there a specific reason you want it this way? Usually, people will add the static IPs as Virtual IP - IP Aliases, and then port-forward the IP alias to the LAN server.

    I'm sure you've seen the Netgate bridging document, but it doesn't have anything specific to your issue.

    https://docs.netgate.com/pfsense/en/latest/book/bridging/index.html



  • @KOM said in Simple transparent bridge between WAN and LAN, how?:

    It seems unusual that you've got public IPs from Comcast but they're not routing them to you and instead you have this NATing router.

    Comcast provides both. They provide me with 5 static IPs and also a NAT connection capability in 10.1.10.0/24, all through the same router and the same physical ethernet connection. The web/reflector/Bugzilla servers use static IPs and everything else on the LAN uses DHCP.

    I need to configure the firewall as a bridge so that hosts with static IPs on the LAN side (web / reflector server, Bugzilla server) are visible on the WAN side, subject to the firewall filtering rules.

    Is there a specific reason you want it this way? Usually, people will add the static IPs as Virtual IP - IP Aliases, and then port-forward the IP alias to the LAN server.

    Hmmm... OK, that would be fine. All I need is for someone in the Great Out There to plug "www.my_awesome_website.org" into their browser and connect to my static-IP'd web server on the LAN side of my firewall. However that can be made to happen is fine by me.

    I'll start googling "virtual IP" and "IP aliases" but if you can offer a pointer to a good place to start reading that would be much appreciated.

    Thanks...





  • Thanks, KOM. I am thoroughly confused and lost. I read through those links and everything else I could find in the Netgate documentation and elsewhere. I might have port forwarding sort of more or less figured out (except for ranges of ports which aren't being accepted), and there is much information about what virtual IPs and IP aliases are and what they're capable of doing, but so far nothing on how to set them up in pfSense.

    If there are any tutorials for us beginners I'm hoping they might yield some guidance.



  • You will find Virtual IPs under the Firewall menu. Add one of type IP Alias and configure like this:

    Interface: WAN
    Address type: Single address
    Address(es): One of your public IP addresses

    That's it. Leave everything else at defaults. Now you can create a NAT port-forward. For Destination, pick the Virtual IP you just created. Specify the LAN IP to be redirected to via Redirect target IP.

    Firewall and NAT Fundamentals on pfSense

    NAT on pfSense 2.3



  • Thanks, KOM. I have some success, am able to access a machine on the LAN side of the firewall from the WAN side using the static IP.

    My test machine (the workstation on the LAN side, that runs a test web server) is a VirtualBox virtual machine running CentOS 7.6 I installed fresh, for this purpose. It gets its IP from the pfSense DHCP server as 192.168.200.10, which is aliased to one of my available static IPs as you describe. I have ports 80, 443, and 22 forwarded, and they all work.

    There is one thing I learned after several hours of beating my head against the wall, which might help any other newbies trying to get this to work...

    DON'T FORGET TO TURN OFF THE #%$%$& FIREWALL ON THE LINUX WORKSTATION ON YOUR LAN!!! or the equivalent (Windows firewalls?) on whatever else you're using as a workstation on your LAN. :-(

    CentOS 7.6 (and I suspect most Linux distros) installs iptables or firewalld by default, and turns it on with a default set of rules. If you installed it as a workstation rather than a server, the default rules block server stuff. So, all my attempts were getting through the pfSense firewall just fine, only to be blocked by the Linux firewall in the workstation VM on the LAN. I went in there and said "sudo service firewalld stop" and by magic, everything started to work.

    Yeah, I know, this should be obvious. It totally got past me. :-(

    So for now I think I'm all set, until the next roadblock :-). Thanks for all your help.


Log in to reply