Need help creating a transparent firewall

mh2112 · Jun 19, 2020, 12:12 AM

I've used pfSense for years as a NAT firewall. It's wonderful. Our security policy has changed, and now I need to get rid of NAT. I think pfSense as a "transparent firewall" is what I need.

I found [instructions in a PDF by William Tarrh about how to create a transparent firewall. If you Google for "william tarrh pdf" you'll find them. I tried posting the link here, but the forum software blocked it. Are those instructions still accurate for pfSense version 2.4.5? I ask because I found different instructions here: https://support.adamnet.works/t/running-on-a-transparent-pfsense-bridge/79.

I don't see detailed instructions in the pfSense docs.

Anyhow, I followed William Tarrh's PDF. I'm confused about creating the firewall rules and don't have them working. Do I create the inbound rules on the WAN or on OPT1 (the bridge)? For example, how can I enable basic things like DNS, DHCP, and ICMP ping?

jimp · Jun 19, 2020, 2:22 PM

You may have some terminology confused. A "transparent firewall" does not mean only that it does not NAT.

If you have a routable subnet and public addresses behind the firewall, you may only need to configure the addresses and disable outbound NAT.

The only time you need to bridge is if you have to join the WAN and LAN L2 into a single shared network, which is rarely required, often a headache, and almost never the optimal solution.

mh2112 · Jun 19, 2020, 2:34 PM

Thanks for the thoughts, @jimp. Indeed, I am confused.

In the short term, my WAN and LAN will both be on the same subnet. This means bridging is required, right?

Long term, I can request another routable subnet for use behind the firewall. Then the WAN and LAN ports will be on different subnets. However, that won't happen quickly since it requires IT approval.

jimp · Jun 19, 2020, 2:36 PM

You would be better off waiting until you get the new subnet, otherwise you're going to go through all this pain only to have to rip it out and redo it properly and reassign addresses on all the internal hosts as well.

What is your goal for having both on the same network? Perhaps there is an alternate solution.

mh2112 · Jun 19, 2020, 2:47 PM

@jimp said in Need help creating a transparent firewall:

What is your goal for having both on the same network? Perhaps there is an alternate solution.

I'm no longer allowed to have NAT since it doesn't work with our IT team's security scanning tool (Nessus). I need to provide full access to all formerly NAT'ed hosts.

Alternatively, I can put a Nessus relay box on my LAN and give IT access through NAT. They can then scan my LAN. However, IT in general is discouraging me from using NAT.

jimp · Jun 19, 2020, 2:50 PM

Sounds like they should fast track giving you the new subnet since it's the real solution there. If IT is pressuring you to get rid of NAT, tell them to get rid of NAT you need a routable subnet.

mh2112 · Jun 19, 2020, 3:54 PM

@jimp said in Need help creating a transparent firewall:

Sounds like they should fast track giving you the new subnet since it's the real solution there. If IT is pressuring you to get rid of NAT, tell them to get rid of NAT you need a routable subnet.

OK, thanks. That's what I'll do.

jimp · Jun 19, 2020, 3:56 PM

You will save yourself hours and hours of wasted time (plus the frustration of dealing with bridges), plus it's more secure since you won't be leaking local L2/broadcast/multicast stuff to the upstream segment.

More secure, saves the company/org time and money. :-)

johnpoz · Jun 19, 2020, 4:33 PM

So they don't want you to nat, but you can still have a firewall.. Which you could just block all their scans with anyway ;) Be it transparent or not.