Public IP behind pfsense via bridge



  • Hi,
    I am using pfsense 2.4 with a simple setup with one WAN interface an a public /28 subnet.
    Various internal services within this subnet are accessible via Virtual IPs an Port Forwarding to internal IPs.
    No I got an VPN Box from an customer which needs to be assigned a public IP directly without NAT.
    I thought about realizing this via bridging as described in this scenario:
    https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html#single-ip-subnet-on-wan
    pfsense itself hay IP a.b.c.2, my public gateway has a.b.c.1 as configured as default gateway on pfsense
    I attached the box to a new interface OPT1 of my pfsense giving ist the ip a.d.c.3
    I set up a bridge with the member Ports WAN and OPT1.
    OPT1 hat no own IP config.
    I allowed every traffic on Interface OPT1
    I allowed every traffic to a.b.c.3 on WAN

    I suggest that now I could access a.b.c.3 from "the internet"
    That does not work.
    Doing a packet capture on OPT1 I see ARP requests for a.b.c.3 comming from the gateway a.b.c.1 without answer.
    Doing packet capture on the vpn box there are no arp requests.

    I assigned a new interface called BRIDGE with the network port bridge0 (it's my only bridge)
    I changed system tunable net.link.bridge.pfil_bridge to 1
    allowed every traffic on Interface BRIDGE
    This does not work too.
    I see arp requests from the gateway on the interface BRIDGE (and the Interface OPT1) requesting for a.b.c.3 bit these are not answered an not getting through to net vpn box.

    Is there anything I forgot?
    Maybe someone has a hint where I can start to analyze where the problem is?

    Best Regards



  • I came to this forum with almost exactly this question, although I haven't tried it, just been thinking about it.
    The only thing I can think of that's missing in your config is this: have you added the a.b.c.3 address as a virtual IP on the WAN interface?

    gr.
    tinus



  • If you already have NAT configured for the others, did you look into 1:1 NAT (https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html) which forwards all traffic for the public IP to that private IP? Or does the VPN device actually require a public IP address in it?


Log in to reply