Transparent Bridge mode in Data center with two public subnets
vertico last edited by vertico
I recently tried to setup a Netgate SG-1100 with the latest PFsense in transparent bridge mode.
I followed this guide:
This is a rack in a data center with the data center router assigning my cabinet two public IP subnets 162.244.XX.XXX/26 and 192.30.XXX.XXX/26
I bridged WAN to OPT1 and left the LAN port as a local management port.
Per the guide I referenced I assigned the bridge interface a public IP address from the 162.244.XX.XXX/26 subnet so that I can manage the device externally.
I did disabled NAT, and changed "et.link.bridge.pfil_bridge" to a value of 1" and also changed "net.link.bridge.pfil_member" to a value of 0
For initial setup, I set a rule on the bridge interface to pass all traffic.
All of my servers in my rack of public IPs from one of these two subnets and the problem I am running into is that the servers that are on 192.30.XXX.XXX/26 are unable to send traffic outbound. Servers that are on the 162.244.XX.XXX/26 (which is the same subnet assigned to the bridge interface are communicating without issue.
I was wondering if I should have assigned the public IP to PFsense to the WAN interface instead of to the bridge and if that would correct the issue?
I'll also add my goal here is to simply be able to monitor traffic and apply manual filters to certain IPs. Most of my internal servers belong to my customers so I need to pass 95% of traffic to the open internet.
Please let me know what you think, thank you in advance.
dotdash last edited by
I setup a similar system years ago, which is still running. That one only has a single subnet passing through it, but here are some notes on the config.
Tunables set the same as yours. I eliminated the LAN and bridged all ports. Physical interfaces are set to enabled with no config. Bridge has public ip and no gateway set. No rules on any interface except for the bridge. OB NAT set to manual with all rules deleted. Scrub is disabled, but that may have been when troubleshooting an issue. Box is placed physically between the isp handoff and the hosted systems. Configuration on the hosted system was unchanged- they point to the ip of the isp's device.
Do you see any blocked traffic?
Make sure your rules do not reference, for example, WANnet which no longer exists.
Do you see traffic for 192.30 arriving at the WAN if you run a pcap there and ping it externally?