Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense bridge mode

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      avihu
      last edited by

      Hello everyone,
      I'm trying to add an external firewall to my system (pfSense with snort IPS)
      Right now when I define the firewall as a bridge ,I connected the modem to the pfsense INPUT port and the OUTPUT port to the Mikrotik Router.
      The Mikrotik Router is responsible for dialing through eth13 and PPPoE Client.
      The Trafic come from the modem to the pfsense and then come to the mikrotik, but pfsense failed to block.

      I try to connect the same pfsense bridge to an internal network it works fine, my guess is because it's connected directly to the modem.
      Is there a way to fix the situation?

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @avihu
        last edited by

        @avihu

        Hi,

        it might help:
        https://docs.netgate.com/pfsense/en/latest/bridges/index.html
        https://forum.netgate.com/topic/59689/snort-and-transparent-firewall

        BTW:
        forget this IN / OUT stuff, everything is called by its name 😉

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        A 1 Reply Last reply Reply Quote 0
        • A
          avihu @DaddyGo
          last edited by

          @daddygo
          hi, thanks for the reply....
          The problem is different as far as I understand,
          The pfsense server sees the in/out addresses but fails to block them.
          When I posted the issue in another forum, someone replied that it was related to PPPoE:

          "IP over Ethernet (which the firewall can handle in bridge mode) is not the same as IP over PPP over Ethernet. It might be complicated to block some IP payload without breaking the PPP(oE) functionality."

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @avihu
            last edited by DaddyGo

            @avihu said in pfSense bridge mode:

            When I posted the issue in another forum, someone replied that it was related to PPPoE:

            Yes I see you on the MicroTik forum:
            https://forum.mikrotik.com/viewtopic.php?f=2&t=171522&p=838736

            I don’t know if there would be a problem with PPPoE with Snort now, but Bill is competent in this @bmeeks

            in a couple of places, we are running PPPoE WAN + Snort and no problem so far
            (but it is not transparent FW)

            so look at this (PPPoE with Multi-Queue NICs):
            https://docs.netgate.com/pfsense/en/latest/hardware/tune.html

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            A 1 Reply Last reply Reply Quote 0
            • A
              avihu @DaddyGo
              last edited by

              @daddygo

              now the dialer is on the mikrotik, I can move the dialer to pfsense box and get the IP from isp address on the other side?

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @avihu
                last edited by

                @avihu said in pfSense bridge mode:

                I can move the dialer to pfsense box and get the IP from isp

                Of course, I would have configured it this way anyway...

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                A 1 Reply Last reply Reply Quote 0
                • A
                  avihu @DaddyGo
                  last edited by

                  @daddygo
                  I leave the settings as they are and just configure the dialer in pfsense wan interface?
                  Maybe there is a guide?

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo @avihu
                    last edited by

                    @avihu said in pfSense bridge mode:

                    I leave the settings as they are and just configure the dialer in pfsense wan interface?

                    Use the parameters provided by your ISP, connect to your modem and simply set up your pfSense WAN to PPPoE

                    05e7ab20-5262-46ee-a3f9-d32020fa1ac3-image.png

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    A 1 Reply Last reply Reply Quote 0
                    • A
                      avihu @DaddyGo
                      last edited by

                      @daddygo
                      Thanks, I did it already :)
                      Now the question is what do I define in the Mikrotik ether13 (dhcp client), before the change is was PPPoE Client with dialer.

                      DaddyGoD 1 Reply Last reply Reply Quote 0
                      • DaddyGoD
                        DaddyGo @avihu
                        last edited by

                        @avihu said in pfSense bridge mode:

                        I define in the Mikrotik ether13 (dhcp client),

                        following the description of Netgate, MikroTik can get IP from pfSense 😉

                        209327a9-7926-4808-9347-53fb8944e707-image.png

                        Cats bury it so they can't see it!
                        (You know what I mean if you have a cat)

                        A 1 Reply Last reply Reply Quote 1
                        • A
                          avihu
                          last edited by

                          tnx :)

                          1 Reply Last reply Reply Quote 0
                          • NetMartin23N
                            NetMartin23
                            last edited by

                            and thanks again from another "Newbie"

                            1 Reply Last reply Reply Quote 0
                            • A
                              avihu @DaddyGo
                              last edited by

                              @daddygo
                              After almost 3 weeks I did not have time and left it looks like I got back to it again :)

                              I set the dialer on the pfsende wan side and it and it connected to the isp.
                              But the mikrotik does not get IP from the lan side, I try to define in the Mikrotik ether13 (dhcp client) But it still does not get an IP.
                              What I need to define in the connection type so the router get the external address?

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                How many public IPs do you have?

                                If it's just one then pfSense will have that and the Mikrotic will have an internal IP. It seems like you might be attempting to setup something that cannot be done.

                                If you need the public IP on the Mikrotic you might want to setup pfSense transparently on the other side of it, the internal network.

                                Steve

                                A 1 Reply Last reply Reply Quote 0
                                • A
                                  avihu @stephenw10
                                  last edited by

                                  @stephenw10
                                  Hi
                                  Its good to see familiar face, The last time we talked here was when you explained to me how install pfsense with lcdproc on WatchGuard Firebox (its still works).

                                  For now I just try to install transparent firewall bridge with PPPoE Client for snort IDS/IPS.

                                  The WAN side is connected to ADSL modem.
                                  and the LAN side connected to mikrotik or PC for now.

                                  The wan with PPPoE client get ip address from the ISP but not pass it to the lan side.
                                  Before I added the PPPoE client the bridge work fine

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    pfSense cannot bridge PPPoE to DHCP.

                                    Snort cannot effectively see inside the PPPoE stream. Or at least the signatures are not intended to match that so it doesn't see the traffic as expected.

                                    Your options here as I see it are either to not run pfSense transparently. Put the Mikrotik in a private subnet on it's WAN.
                                    Or move the pfSense box behind the Mikrotik where it can be setup transparently and still see the traffic outside the PPPoE.
                                    Or lose the Mikrotik entirely and using the pfSense as the PPPoE client and router/firewall/IPS etc.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.