pfSense bridge mode
-
Hello everyone,
I'm trying to add an external firewall to my system (pfSense with snort IPS)
Right now when I define the firewall as a bridge ,I connected the modem to the pfsense INPUT port and the OUTPUT port to the Mikrotik Router.
The Mikrotik Router is responsible for dialing through eth13 and PPPoE Client.
The Trafic come from the modem to the pfsense and then come to the mikrotik, but pfsense failed to block.I try to connect the same pfsense bridge to an internal network it works fine, my guess is because it's connected directly to the modem.
Is there a way to fix the situation? -
Hi,
it might help:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html
https://forum.netgate.com/topic/59689/snort-and-transparent-firewallBTW:
forget this IN / OUT stuff, everything is called by its name
-
@daddygo
hi, thanks for the reply....
The problem is different as far as I understand,
The pfsense server sees the in/out addresses but fails to block them.
When I posted the issue in another forum, someone replied that it was related to PPPoE:"IP over Ethernet (which the firewall can handle in bridge mode) is not the same as IP over PPP over Ethernet. It might be complicated to block some IP payload without breaking the PPP(oE) functionality."
-
@avihu said in pfSense bridge mode:
When I posted the issue in another forum, someone replied that it was related to PPPoE:
Yes I see you on the MicroTik forum:
https://forum.mikrotik.com/viewtopic.php?f=2&t=171522&p=838736I don’t know if there would be a problem with PPPoE with Snort now, but Bill is competent in this @bmeeks
in a couple of places, we are running PPPoE WAN + Snort and no problem so far
(but it is not transparent FW)so look at this (PPPoE with Multi-Queue NICs):
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html -
now the dialer is on the mikrotik, I can move the dialer to pfsense box and get the IP from isp address on the other side?
-
@avihu said in pfSense bridge mode:
I can move the dialer to pfsense box and get the IP from isp
Of course, I would have configured it this way anyway...
-
@daddygo
I leave the settings as they are and just configure the dialer in pfsense wan interface?
Maybe there is a guide? -
@avihu said in pfSense bridge mode:
I leave the settings as they are and just configure the dialer in pfsense wan interface?
Use the parameters provided by your ISP, connect to your modem and simply set up your pfSense WAN to PPPoE
-
@daddygo
Thanks, I did it already :)
Now the question is what do I define in the Mikrotik ether13 (dhcp client), before the change is was PPPoE Client with dialer. -
@avihu said in pfSense bridge mode:
I define in the Mikrotik ether13 (dhcp client),
following the description of Netgate, MikroTik can get IP from pfSense
-
tnx :)
-
and thanks again from another "Newbie"
