• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need help creating a transparent firewall

Scheduled Pinned Locked Moved Firewalling
9 Posts 3 Posters 777 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mh2112
    last edited by Jun 19, 2020, 12:12 AM

    I've used pfSense for years as a NAT firewall. It's wonderful. Our security policy has changed, and now I need to get rid of NAT. I think pfSense as a "transparent firewall" is what I need.

    I found [instructions in a PDF by William Tarrh about how to create a transparent firewall. If you Google for "william tarrh pdf" you'll find them. I tried posting the link here, but the forum software blocked it. Are those instructions still accurate for pfSense version 2.4.5? I ask because I found different instructions here: https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79.

    I don't see detailed instructions in the pfSense docs.

    Anyhow, I followed William Tarrh's PDF. I'm confused about creating the firewall rules and don't have them working. Do I create the inbound rules on the WAN or on OPT1 (the bridge)? For example, how can I enable basic things like DNS, DHCP, and ICMP ping?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jun 19, 2020, 2:22 PM

      You may have some terminology confused. A "transparent firewall" does not mean only that it does not NAT.

      If you have a routable subnet and public addresses behind the firewall, you may only need to configure the addresses and disable outbound NAT.

      The only time you need to bridge is if you have to join the WAN and LAN L2 into a single shared network, which is rarely required, often a headache, and almost never the optimal solution.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M
        mh2112
        last edited by Jun 19, 2020, 2:34 PM

        Thanks for the thoughts, @jimp. Indeed, I am confused.

        In the short term, my WAN and LAN will both be on the same subnet. This means bridging is required, right?

        Long term, I can request another routable subnet for use behind the firewall. Then the WAN and LAN ports will be on different subnets. However, that won't happen quickly since it requires IT approval.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jun 19, 2020, 2:36 PM

          You would be better off waiting until you get the new subnet, otherwise you're going to go through all this pain only to have to rip it out and redo it properly and reassign addresses on all the internal hosts as well.

          What is your goal for having both on the same network? Perhaps there is an alternate solution.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          M 1 Reply Last reply Jun 19, 2020, 2:47 PM Reply Quote 0
          • M
            mh2112 @jimp
            last edited by Jun 19, 2020, 2:47 PM

            @jimp said in Need help creating a transparent firewall:

            What is your goal for having both on the same network? Perhaps there is an alternate solution.

            I'm no longer allowed to have NAT since it doesn't work with our IT team's security scanning tool (Nessus). I need to provide full access to all formerly NAT'ed hosts.

            Alternatively, I can put a Nessus relay box on my LAN and give IT access through NAT. They can then scan my LAN. However, IT in general is discouraging me from using NAT.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jun 19, 2020, 2:50 PM

              Sounds like they should fast track giving you the new subnet since it's the real solution there. If IT is pressuring you to get rid of NAT, tell them to get rid of NAT you need a routable subnet.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              M 1 Reply Last reply Jun 19, 2020, 3:54 PM Reply Quote 0
              • M
                mh2112 @jimp
                last edited by Jun 19, 2020, 3:54 PM

                @jimp said in Need help creating a transparent firewall:

                Sounds like they should fast track giving you the new subnet since it's the real solution there. If IT is pressuring you to get rid of NAT, tell them to get rid of NAT you need a routable subnet.

                OK, thanks. That's what I'll do.

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Jun 19, 2020, 3:56 PM

                  You will save yourself hours and hours of wasted time (plus the frustration of dealing with bridges), plus it's more secure since you won't be leaking local L2/broadcast/multicast stuff to the upstream segment.

                  More secure, saves the company/org time and money. :-)

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz Jun 19, 2020, 4:33 PM Jun 19, 2020, 4:32 PM

                    So they don't want you to nat, but you can still have a firewall.. Which you could just block all their scans with anyway ;) Be it transparent or not.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received