Transparent Bridge Mode

redhammer999

Hi all,

I'm pretty much new here - I've used PFSENSE for a while now but never had to do this. I have searched the forums but I'm struggling a bit with finding a similar situation to mine and that explains how to go about it.
I have a Netgate 2100 device.

I'm looking to setup a transparent bridge between WAN and LAN.
I have one public static IP given to me by the ISP.
I'm looking to use PFSENSE to take the WAN connection and public IP, effectively allow the device on the LAN use the same public IP address (via DHCP) and route all traffic through the PFSENSE box.

To what I've read this looks like I need to setup a transparent bridge, but is that correct? If so, how do I go about doing this?

Thanks,
Red

viragomann

@redhammer999 said in Transparent Bridge Mode:

I have one public static IP given to me by the ISP.
I'm looking to use PFSENSE to take the WAN connection and public IP, effectively allow the device on the LAN use the same public IP address (via DHCP) and route all traffic through the PFSENSE box.

A single IP can only be used by one device. If you have only one IP you can either use it on pfsense or on a device behind it if you bridge to interface to WAN.

Why is forwarding certain ports not an option for your?

coxhaus

@viragomann
IDS/IPS software's tend to be run as transparent bridges but not routers and Pfsense is a router software.

viragomann

@coxhaus
You can run pfSense in transparent mode as well. But you cannot share a single IP for multiple devices. The one has nothing to do with the other.

coxhaus

@viragomann said in Transparent Bridge Mode:

@coxhaus
You can run pfSense in transparent mode as well. But you cannot share a single IP for multiple devices. The one has nothing to do with the other.

Sounds like a typical NAT router what you are saying.

redhammer999

@viragomann

Thanks for such a quick reply. So, basically we're going to co-habit an office with another firm (save rent etc in todays climate).
Perhaps a diagram will help... I guess their device doesn't need to use the same IP perhaps but it needs to be routable on the public IP.

The other company is using a Cisco Meraki MX67C-WW and is using DHCP (I have no access to it, they've asked for a DHCP public IP address). I believe they are running a site-to-site VPN, hence needing the public IP on their Meraki device.
So from reading I thought they could use the sole public IP address essentially if I configured the PFSENSE as transparent bridge between WAN and their LAN?

The layout would look like the attached image (in my head).
Screenshot 2023-11-25 231220.png

coxhaus

@redhammer999
My guess is you are going to have to have multiple public IP addresses for what you want to do. Probably easier to have separate ISP connections.

There would be a lot of liability sharing a public IP address and compromise.

stephenw10

In that setup nothing on LAN2 would be able to connect out. The only public IP would be on the Meraki so only that and devices behind it would be able to connect out.

They probably don't actually need a public IP dircetly, you could just forward traffic to them in pfSense. Though Meraki has some odd ideas about VPN.

If they insist though the only way to do it would be to have pfSense on a separate interface behind the Meraki. They would have to be involved setting that up of course.

redhammer999

@stephenw10
@coxhaus

Hi both, thanks very much for your input. Just so I'm a bit more in the know (to which I am now getting there, thank you very much indeed). I'm thinking to decommission our side of the network temporarily until new year to allow this company to move in.

Just so I'm clear then:
I could configure the PFSENSE so it would connect to the ISP using the static public IP given and (via transparent firewall mode) connect the Meraki with it still configured as DHCP on it's WAN and would essentially from it's point of view get a DHCP address?

Is there any guides to this effect that would be best to use do you know/recommend? Just because I haven't done the bridge mode configuration previously.

Screenshot 2023-11-26 120026.png

stephenw10

You could do that but what will happen if you do is that the Meraki will try to pull another public IP from the ISP. And that will only happen if the ISP allows more than one public IP.

If you only have one public IP one of either pfSense or the Meraki has to NAT that to the other one. Only one can actually have a public IP on it directly.

coxhaus

@redhammer999
I am not sure you are understanding differences between double NAT, static public IPs and DHCP public IPs. I don't think of what you are saying as a transparent bridge so I would say no.

It is not a good idea to share an ISP connection, so I recommend against it.

redhammer999

@coxhaus

No I do get the principle of not sharing the ISP - may have to do this in short term however.

You are correct in that I don't get the differences between transparent bridge, NAT etc. In regard to how we're going to implement this.

So... I think now the plan maybe to speak with their IT (if they have still) and discuss what needs to be done. We may get a VLAN from them perhaps as a "guest" in the super short-term or something like that. Or just send our staff to WFH. They should ATLEAST be able to configure the Static IP on their Meraki WAN interface!?!

Many thanks again.

stephenw10

Yes they should be able to set that public IP on the Meraki WAN dircetly. And yes they could setup a VLAN or just a separate port to isolate a connection from pfSense and NAT it.