How to setup Wan to Lan bridging for a transparent firewall between servers on internal network ?.
-
Scenario...
Internet feed --> [FW] --> Internal network --> [FW] --> My network --> ESXi Server -->PFSense ---> Server group 1
\--------- --> Server group 2-
Server group 1 not allowed to contact server group 2 and vice versa.
-
Server group 1 & 2 use shared network infra (AD & DNS) hosted on other ESXi VMs
-
I have no control over anything before My Network (above).
Current solution.
Each server group is on its own Lan subnet.
PFsense provides 1:1 NATIssues.
-
DNS does not work as expected (local hosts on subnet are not resolving) --> Server group members now have host file entries.
-
AD works but is very slow (presumably due to local DNS server timeout before getting the AD servers IP).
-
This is not scalable for my use case as I could quite easily have 50+ VMs I need to provide 1:1 nat setups for.
-
I am stuck with a /25 internally routable subnet and no access to the DNS servers controlling the full /24. The /24 DNS server admins will not change their configs for good reasons.
In order to simplify the setup (which could have 10+ server groups over 2+ ESXi hosts), I would like to flatten the networks and remove the 1:1 Nat & subnet requirement and its attached admin requirement.
To this end I am looking at creating a Wan to Lan / Opt1 (Server group 1 / 2) bridge and putting FW rules on the interfaces (not the bridge) to enable Lan / Opt 1 segregation.
I have configured a bridge with 3 members (Wan, Lan & Opt1). I have assigned the bridge as an interface. I have set pass everything rules on the firewall for all three interfaces (to get it up and running) and have then moved the Wan IP to the bridge. After a reboot the console is showing the bridge with the old Wan IP address and no IP addresses on any of the other interfaces.
I now cannot access the mgmt interface on the old wan IP. A test VM on the Lan interface also cannot get DHCP / DNS comms from the Wan servers.
Moving the IP back to the Wan interface gets the Mgmt interface back but the machine on the Lan side still cannot get DNS / DHCP comms.
Whilst the PFSense manual provides some details on bridging and has a specific section for Lan to Lan there is not a specific section for Wan to Lan so not sure if this config will work in my case.
Any constructive suggestions most appreciated.
Thanks
-
-
@RimBlock Could be You so please explain structure of Your network more detailed that You already did?
-
Some pics might make it clearer hopefully.
Again, I have no control over anything in the Internet or green 'Prod' areas on the diagrams.
Base enironment
Current setup (1:1 Nat) - AD slow and DNS not working, high maintenance).
Preferred setup (Bridge / flat network).
Getting the bridge to pass traffice between the 'Lan' ports and the 'Wan' port seems to be problematic (it is not working).
Test PFSense setup
A couple of questions after drawing all this out....
-
What interface should the bridge be assigned to ?.
-
Should the IP stay ont he Wan (VMX0) or the bridge if I am filtering on the interfaces rather than the bridge.
Hope this is a bit clearer.
Thanks
-
