pfSense bridge mode

avihu

Hello everyone,
I'm trying to add an external firewall to my system (pfSense with snort IPS)
Right now when I define the firewall as a bridge ,I connected the modem to the pfsense INPUT port and the OUTPUT port to the Mikrotik Router.
The Mikrotik Router is responsible for dialing through eth13 and PPPoE Client.
The Trafic come from the modem to the pfsense and then come to the mikrotik, but pfsense failed to block.

I try to connect the same pfsense bridge to an internal network it works fine, my guess is because it's connected directly to the modem.
Is there a way to fix the situation?

DaddyGo

@avihu

Hi,

it might help:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html
https://forum.netgate.com/topic/59689/snort-and-transparent-firewall

BTW:
forget this IN / OUT stuff, everything is called by its name

avihu

@daddygo
hi, thanks for the reply....
The problem is different as far as I understand,
The pfsense server sees the in/out addresses but fails to block them.
When I posted the issue in another forum, someone replied that it was related to PPPoE:

"IP over Ethernet (which the firewall can handle in bridge mode) is not the same as IP over PPP over Ethernet. It might be complicated to block some IP payload without breaking the PPP(oE) functionality."

DaddyGo

@avihu said in pfSense bridge mode:

When I posted the issue in another forum, someone replied that it was related to PPPoE:

Yes I see you on the MicroTik forum:
https://forum.mikrotik.com/viewtopic.php?f=2&t=171522&p=838736

I don’t know if there would be a problem with PPPoE with Snort now, but Bill is competent in this @bmeeks

in a couple of places, we are running PPPoE WAN + Snort and no problem so far
(but it is not transparent FW)

so look at this (PPPoE with Multi-Queue NICs):
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html

avihu

@daddygo

now the dialer is on the mikrotik, I can move the dialer to pfsense box and get the IP from isp address on the other side?

DaddyGo

@avihu said in pfSense bridge mode:

I can move the dialer to pfsense box and get the IP from isp

Of course, I would have configured it this way anyway...

avihu

@daddygo
I leave the settings as they are and just configure the dialer in pfsense wan interface?
Maybe there is a guide?

DaddyGo

@avihu said in pfSense bridge mode:

I leave the settings as they are and just configure the dialer in pfsense wan interface?

Use the parameters provided by your ISP, connect to your modem and simply set up your pfSense WAN to PPPoE

avihu

@daddygo
Thanks, I did it already :)
Now the question is what do I define in the Mikrotik ether13 (dhcp client), before the change is was PPPoE Client with dialer.

DaddyGo

@avihu said in pfSense bridge mode:

I define in the Mikrotik ether13 (dhcp client),

following the description of Netgate, MikroTik can get IP from pfSense

avihu

tnx :)

NetMartin23

and thanks again from another "Newbie"

avihu

@daddygo
After almost 3 weeks I did not have time and left it looks like I got back to it again :)

I set the dialer on the pfsende wan side and it and it connected to the isp.
But the mikrotik does not get IP from the lan side, I try to define in the Mikrotik ether13 (dhcp client) But it still does not get an IP.
What I need to define in the connection type so the router get the external address?

stephenw10

How many public IPs do you have?

If it's just one then pfSense will have that and the Mikrotic will have an internal IP. It seems like you might be attempting to setup something that cannot be done.

If you need the public IP on the Mikrotic you might want to setup pfSense transparently on the other side of it, the internal network.

Steve

avihu

@stephenw10
Hi
Its good to see familiar face, The last time we talked here was when you explained to me how install pfsense with lcdproc on WatchGuard Firebox (its still works).

For now I just try to install transparent firewall bridge with PPPoE Client for snort IDS/IPS.

The WAN side is connected to ADSL modem.
and the LAN side connected to mikrotik or PC for now.

The wan with PPPoE client get ip address from the ISP but not pass it to the lan side.
Before I added the PPPoE client the bridge work fine

stephenw10

pfSense cannot bridge PPPoE to DHCP.

Snort cannot effectively see inside the PPPoE stream. Or at least the signatures are not intended to match that so it doesn't see the traffic as expected.

Your options here as I see it are either to not run pfSense transparently. Put the Mikrotik in a private subnet on it's WAN.
Or move the pfSense box behind the Mikrotik where it can be setup transparently and still see the traffic outside the PPPoE.
Or lose the Mikrotik entirely and using the pfSense as the PPPoE client and router/firewall/IPS etc.

Steve