Beginner questions regarding transparent firewall

eduke

Topology of my network looked like this:

inet <–-> router <---> switch <---> lan

Now I would like to add firewall. The topology would change to something like this:

inet <---> router <---> pfsense <---> switch <---> lan

In order not to change anything in LAN setup on host machines I'm going to use transparent firewall. pfsense has 4 NICs. WAN, LAN, OPT1 and OPT2.

I would like to make transparent firewall on those OPT NICs. Do I have to set on both OPT interfaces to bridge with one another?

OPT1                          OPT2
enable                        enable
type: static                  type: static
bridge with: OPT2          bridge with: none

versus

OPT1                          OPT2
enable                        enable
type: static                  type: static
bridge with: OPT2          bridge with: OPT1

Is there big difference between these two settings?

More questions to come :-)

hoba

leave one interface static and bridge the other one to it:

opt1 static
opt2 bridge to opt1

I think the other setting won't work at all. Don't forget to set "filtering bridge" at system>advanced in the webgui and create appropriate rules.

eduke

OK but in that case I have to put IP address on one interface and that is what I don't want to do, because hosts have GW set up to IP on router interface. I tried it with bridge set up on both OPT and it works. With this configuration all traffic just flows through the pfsense box as it wouldn't be there (because of the rules set to pass everything)

hoba

Why do you ask something when you already set up something and tested it then?  :P

Gertjan

@eduke:

Topology of my network looked like this:
inet <–-> router <---> switch <---> lan

Ok, a real basic - often used - setup.

Now I would like to add firewall. The topology would change to something like this:
inet <–-> router <---> pfsense <---> switch <---> lan

I can assure you that this works when you setup pFsense from the box.
Configure WAN access (ISP) stuff - give it a static LAN IP (your 'new' gateway) - and up you are.

In order not to change anything in LAN setup on host machines I'm going to use transparent firewall. pfsense has 4 NICs. WAN, LAN, OPT1 and OPT2.

Things DO change here : are you using the pFsense box as a simple switch between LAN-OPT1-OPT2 ? Why not using a real 'simple' switch ? They are real good at switching  ;)

But you should be able to do so - bridge them all together. Give the LAN an IP (this will be the gateway) - and bridge OPT1-OPT2 to it. (So no IP's need here). I never did so, but I tend to say that a firewall rule like 'all to all = ok' on all interfaces (only OPT-OPT2 ?) is needed.

And why still using the initial router (or is it a modem also ?) ? Send it on holiday (remove the routing activity) - this makes your setup simpler to administrer. pFsense handles the routing very well (at least at the last time I checked  ;D).

eduke

@hoba:

Why do you ask something when you already set up something and tested it then?  :P

I tried it after I had asked and you had replyed. And then I posted message that it is working so anyone will know that it is possible.

eduke

@Gertjan:

And why still using the initial router (or is it a modem also ?) ? Send it on holiday (remove the routing activity) - this makes your setup simpler to administrer. pFsense handles the routing very well (at least at the last time I checked  ;D).

I can't remove the router becaus it does more things then I showed here. I want to use pfSense just as firewall. I don't need its router and other features.