bridging
-
Bridging
I have a LAN network with devices with all the same all ip address range ( same subnet) going to be attached to the pfsense firewall how can i configure pfsense to route traffic to the outside world . There is no wan interface with a different subnet.THus you need bridging as all IP addresses are on the same subnet.
How is this done as seen in the diagram below
-
how can i configure pfsense to route traffic to the outside world
You can't. In that scenario, WAN and LAN in the same subnet, pfSense does not route it simply passes at layer 2.
You can bridge the interfaces to make a transparent firewall.
https://docs.netgate.com/pfsense/en/latest/book/bridging/index.html#internal-external-bridgesYou should avoid that though if you can. Far better to pass your public IP to the pfSense WAN and route the traffic there.
Steve
-
stephen,
thanks for your email
where do i start from here
Can you explain the procedures involved - Please can you elaborate
"You should avoid that though if you can. Far better to pass your public IP to the pfSense WAN and route the traffic there."
Do you mean Create a Lan or Wan interface with the ip address of the switch and network subnet as network
I dont understand this internal /external bridge thing -
Instead of inserting pfSense into the connection as you show in the diagram what you should be doing is replacing the Ziggo router with pfSense.
However that may not be possible directly if that device is also your modem?
In that case the next best thing is to put the Ziggo into modem mode or bridge mode so it just passes a public IP to pfSense directly.
Steve
-
steve
Thanks for your quick reply
This is my first time with pfsense (beginner)
Please can you explain the steps involved if i have to establish bridging on the firewall for the ip to pass through we don,t have management of the router we can only connect to it -
Are the servers on your LAN externally accessible?
If not you could just double NAT and a different subnet on WAN and LAN. It means pfSense doesn't see most of the incoming external traffic and you are still limited by the existing router but it's much easier to configure.
What subnet are you using internally currently?
Steve
-
hello
Thanks for your email
we have a 213.124.x.x subnet
My question is that if i replace the Ziggo router with an ISP router connected to my firewall which is also connected to my switch what do i need to do
Do i first set up a LAN interface with this internal address and then later use bridging to bridge it
Please just be a bit elaborate if possible point to the menu in the firewall -
So you have a public subnet on your servers directly?
-
This is just like us connecting to a datacenter which gives you all the same subnet with all the ip addresses in that subnet.
The questions how do we connect to the internet or outside world thru our firewall with a bunch of Ip address in the same subnet
Yes that is the subnet from the router which we don't have admin access to
Do we create a LAN interface with a LAN network and create a bridge .
I would be grateful if you can explain the steps in PFsenseThanks
-
You should be able to get that subnet routed to your firewall via some other IP to set this up correctly.
But otherwise you need to create a bridge containing the internal and external interfaces. I would then assign the the bridge interface itself and put an IP on that. You can only have an IP on one of the interfaces in the bridge.
You will probably want some out of band access via a different interface when you set this up as it's very easy to end up shut out of the firewall configuring a bridge from one of the interfaces in it.Steve
-
what do you mean by this
"You should be able to get that subnet routed to your firewall via some other IP to set this up correctly." how do i set this up correctly (new to pfsense)
Also "But otherwise you need to create a bridge containing the internal and external interfaces. * we dont have an external interface here as it is the ziggo router from the Telephone provider which we do not have access to
"I would then assign the the bridge interface itself and put an IP on that. You can only have an IP on one of the interfaces in the bridge."
does this mean one ip address for the internal interface of the bridge
"You will probably want some out of band access via a different interface when you set this up as it's very easy to end up shut out of the firewall configuring a bridge from one of the interfaces in it." How do i set this up -
i saw this does this ring a bell to you
https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge
-
Any more ideas i have not heared from you for a while
-
The steps in that guide will work OK. I would not move filtering to the bridge I prefer to see the rules on the incoming interfaces.
I would still want some out of band access though to avoid getting locked out of the device while you configure it. It will almost inevitably happen!
Steve
-
@stephenw10 said in bridging:
I would still want some out of band access though to avoid getting locked out of the device while you configure it. It will almost inevitably happen!
hello
Can you explain by out of bound access and also which device the firewall or switch
-
https://en.wikipedia.org/wiki/Out-of-band_management
When you configure the firewall if you are accessing it across one the two interfaces you are trying to bridge you will almost certainly get locked out of it during the process. You should have some other way of accessing it like using the console directly or a 3rd NIC connected for management.
Steve
-
Thanks a lot i now understand it probably thru the console
I also discovered in the link https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge
It uses the mac address of both the WAN and LAN interface rather than ip address when assigning the LAN and WAN interface to the BRidge
This has to be tested before knowing if it works
