firewall without NAT
-
If it is broadcast, use only a managed switch with different VLANs, then you got 2 broadcast domains and no interaction betwen this.
One VLAN is used for WiFi and the other dont flod the WiFi anymore. You want now to route betwen this VLANs, you neet different IP Subnets and then you can use an Firewall between.
-
@sundarnet-0
Hi SundarNet, The lighting console has only 1 nic. So all this broadcast ( on port 6454 and 9000) passes in/out 1 nic on that end. This meaning , only 1 IP adress. -
@stephenw10 IP range is 2.x.x.x subnet 255.0.0.0
-
@nocling
I do not think a VLAN will solve this. But I'm more than happy to learn how you would solve this with a VLAN. Can a VLAN read a packet and look if it comes from port 6454 and if so ignore this packet? -
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this. -
If I bridge WAN-LAN, all traffic passes, so the hardware is working. But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luck -
@olivier-demoustier said in firewall without NAT:
@nocling
Sorry, everything needs to be in the same subnet. (2.x.x.x. /8)
We cannot change this.If both interfaces of pfSense have to be within a single subnet you have to bridge them, as @stephenw10 already mentioned.
Doing this enables also broadcasts between the devices. Maybe this is what you need. -
Thank you, I tried this, (look at my recent post) but then it just works as a 2port switch. FIREWALL-rules are not working
-
@olivier-demoustier said in firewall without NAT:
But whatever FIREWALL-rule I add, all traffic keeps on passing. I have set "net.link.bridge.pfil_bridge" to 1 and "net.link.bridge.pfil_member" to 1
Was hoping this would solve it... but :( no luckIt should work with these settings. Maybe you have zo kill existing states before testing.
-
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help. -
@olivier-demoustier said in firewall without NAT:
At last, I found it. Don't know why, but in bridge mode you need to reboot the firewall after you change a rule.
Will test further. But for the moment I have 1 rule to enable or disable all traffic. If You change this rule, you need to reboot.
To everybody, thank you so much for all the help.Happy for you. Don't forget to enable the auto start for all vlan bridges.
-
@akegec
mmm, don't know what you are saying. I don't use any VLANs. Or is a bridge some kind of VLAN? -
You need to set the filtering sysctls before you create the bridge. So if you change them afterwards you need to re-create the bridge. A reboot does that.
Steve
-
@stephenw10
Thanks Steve. Was not sure if I was doing wrong. This explains it. -
@olivier-demoustier Lastly, existing firewall states are not affected by a rule addition or change. Those states need to be cleared via Diagnostics - States in order for the new/modified rule to take effect. This trips a lot of people up when they make a rule and it doesn't seem to do anything. Rebooting the firewall does the same thing as resetting states but in a brute-force way. Glad to hear you got it working.
-
@kom
Thank you for explaining. But would be nice if the software would do this automatically when you hit 'apply". Or at least a pop up saying that you need to do that......? -
@olivier-demoustier I hear you. After applying the rule, it should be possible to go through the state table and nuke any states that match a firewall rule. An option could be added to the rule list page to reset existing states on Apply after add/edit. There is likely a technical reason I'm ignorant of as to why this isn't done. Perhaps for performance reasons like having to wait another 5-10s more (depending on your CPU) than you already have to wait every time you modify the rules. Perhaps the dynamic nature of the table and how it works makes this difficult or impossible. I don't know. But I do know that this is fairly obvious and smarter people than I have been working on this for a long time so there must be a reason.
-
@kom
Or just add a second apply button. One without and one with the extra actions needed.... -
@olivier-demoustier how do you get different paths ie wifi and LAN into the lightbox sorta indicates having wifi and LAN NICS? therefore it should have 2 IP addresses how is it specificially set up lightbox connected to ? via a switch or ? as you are trying to isolate 2 different port ranges in one path or channel eg only one NIC, sorta pointless as that traffic needs to pass through a NIC to get to the light box and different ports if you are trying to isolate traffic need to travel through separate NICs to not conflict or congest said NIC, my thought to do this would be a NAT redirect for one port to go via one NIC and the other port to be redirected to the 2nd NIC but you have not been clear with your actual config, I could be wrong but its how I would do it 2 NIC in light box 2 IP addresses with a separate NAT redirect for each needed port or port range
-
@olivier-demoustier it was late and my eyes were half closed, sorry for confusion. Steve explained what I was trying to say. @stephenw10 thanks man.
