Transparent NAT/Bridge/Routing only



  • Hi there,

    I am at a customers site where they have pfSense on a server. I have to admit I am new to it and havent used it before but it looks like a cleaver piece of software.

    I am trying to get a transparent bridge setup between the LAN and the WAN port. Basically the connection looks like this, Network -> pfSense server -> 3rd party Firewall -> Internet. The 3rd party firewall I am using is a specific piece hardware device typical for the maritime industry. It has firewalling capability which can be turned on/off from a easy user interface. The problem I have at this customers site is that they have the pfSense server between this 3rd party firewall which means that the 3rd party firewall is not working as it should. Since the pfSense server is NATing the connection it only sees all the data coming from one IP address and can therefore not filter between the PC's on the network.

    I had a look at the pfSense web interface and saw that you can bridge the WAN and LAN connection. I have done this some they are now on the same IP address range but having a look at the log file on the third party firewall I can see that the traffic still appears to be coming from the pfSense server. The only way I managed to get each packet to still contain the source IP address is to disable the firewalling completey under System | Advanced. But if I do this then the Captive Portal stops working.

    Is there a way I can setup pfSense so that it keeps the original source IP address of each packet whilst still having the Captive Portal working?

    Thanks!



  • Hey,

    Got a work around in the end. I turned the firewall and everything back to normal so the captive portal worked. I then setup a Virtual IP for my whole WAN range and then added a NAT 1:1 rule for each IP address. Since this cant include the WAN IP address I couldnt just do a /24 range. I therefore setup NAT 1:1 for a /25, /26, /27, /28, /29 and a /30 range so that I covered 192.168.0.4-255. Now if a PC on my LAN network with a IP address of 192.168.1.123 uses the internet the traffic appears to come from 192.168.0.123.

    There was probably a better way to do this but it worked for me.


Log in to reply