Transparent firewall



  • Hi,

    i'm new to pfSense. I successed with pfSense to install it as a "standard" firewall with NAT, etc…

    Now, I need to install it as a transparent firewall. I know I have to configure it as a bridge but I have only 2 NIC and didn't find any information how to configure a bridge between LAN and WAN.

    Therefore I'm a bit lost :(

    My NIC are 3c905 & nForce2 and should be able to do promicious mode.

    Thanks for any advice.



  • Just bridge LAN to WAN and be sure to have rules to allow access to the webgui in place. You'll have to access it from the LAN-Interface side by it's WAN IP. Don't enter a LAN IP for the bridged interface. A pfSense-Bridge by default acts as filtering bridge (not like m0n0 were you have to enable this), so just create the rules you need for traffic to pass at WAN and LAN interface.

    You might need to shut down NAT. I don't think so but I'm not sure right now. If the above steps don't work got to Firewall>NAT, outbound and enable advanced outbound nat. Then delete all outbound nat-rules that are present after that.



  • I will try that right now and I come back with feedback. Thanks for the tips ;)



  • I might misunderstood the step about the LAN IP :
    in Interfaces > LAN, If i let the IP empty , i get :
    The following input errors were detected:
        * The field 'IP address' is required.

    Do I have to put the same IP on wan and lan ?



  • Use a dummy adress there. it just needs to have an IP for some reason.



  • Ok, I think I worked to much today  ???

    So, lets resume,

    on WAN, i select my dummy address (ie: 0.0.0.0/32) and gateway (the ip of the real gw)
    on LAN, i select the IP I wish for the bridge and I bridge it to WAN

    Then I don't see … Maybe I should sleep and re read manual :/



  • Nope:

    1. Set a real IP on WAN and gateway (as this interface is the one the other gets bridged to). You will access your webgui by that IP from LAN-side. (If your WAN-IP-Range is inside a private range uncheck "block private IP range")
    2. select bridge at your LAN interface  and give THAT ONE a dummy IP (like 10.10.10.10/32).
    3. Access your webgui by the WAN IP coming from your LAN-side and set up your rules.

    Good night  ;D



  • I slept well . Now I can work again on it :p



  • @fnemo:

    I slept well . Now I can work again on it :p

    So tell us, did it work, huh? did it work? ;D
    If you get that to work you could make us a nice tutorial with wink, what do you say?
    Cheers



  • In fact it fails. Since I'm using a Shuttle XPC as the firewall, I order a double interfaced network card so I'll have 3 NIC and configure WAN, LAN and OPT.
    WAN <-> OPT as a bridge on a certain IP
    LAN as control interface.

    Once I succeed I'll try to write some kind of tutorial . but for now, I just gave up about a bridge with pfSence on a 2 NIC setup.



  • Sorry, we had a bridge bug in the latest version. Please try again with the upcoming version (ETA some minutes/hours).



  • Will check that then ;)



  • I justed DL the 96.2 iso … and it seems buggy . I DL twice on different computers, burned the same ...
    When I boot on the disc, I get weird sound from the CD (no problem with another CD) and when it read the acd0 informations, several error occurs.

    I'll retry tomorrow, some other work to do today ...



  • This error report is of no use.  Next time write down the errors.



  • Ok, I downloaded and burned a new ISO 96.2 from today on one of the mirrors. Installed. Configured.

    Then, I created my bridge, deactivated NAT reflections … AND THERE IT WAS !

    I rebooted to check something in the BIOS (didn't change anything though) ... and on reboot, configuration was there ... but no more bridge working. I don't have time to double check today so i'll do it tomorrow but that's quite annoying :/



  • OK, i'm build new bridge configuration
    One moment - Lan mask (must be 32) take many my time.
    My bridge dont work along i not memory this mask settings.

    Second moment - if i set any dummy address in Lan (not WAN address) - filter reload progress give error in [].. - what this i don't understand. But only i setup In LAN address IP= WAN address or mask=32 - all filter reload update normally

    Please set in GUI avtomatic update LAN IP = WAN IP but only mask=32. This must leave many errors.
    May be disable IP setting edit field LAN ip for BRIDGE mode?
    And other any Bridged internal interfaces (OPT and etc)?



  • on wan set a real ip adress this is the interface you will conect to

    on lan set a ipadress it don't make out wat
    it wil be ignord when you bridge it with youre wan

    make sure youre on beta4 with the updates



  • list of interfaces for bridging

    wan - lan    wan ipadress
    lan  - opt1  lan ipadress
    opt1 - opt2  opt1 ipadress
    wan - opt1    wanipadress
    opt1 - wan - lan    wanipadress
    etc

    list of interface weight
    wan-lan-opt1-opt2 etc
    interface with most weight is the ipadress that will work after the bridged melting



  • Beta 4 updated, Bridge mode ON
    If i set Lan any other address - i can ping them ( 2 address of firewall present!)
    And - periodical error update rules + shaper problem

    Now i Begining test what i setup new (with prevous my post)
    7 filtersupdate processes pass without errors (i dont change eny rule - only Edit-Save-Apply)
    And shaper perhaps work too - this needs more testing.



  • The shaper won't work in a bridging configuration.



  • This conceptual? Or in future shaping bridge possoble?

    ps. I wanted use bridge(Or equivalence) + shapping + proxy in one system :(



  • It's a limitation. Not sure if there is a way to work around it.  However, it won't be included in 1.0 and there is no promise that it will be in 1.1.



  • OK
    If this can be in future - i very glad.
    Thks.


Log in to reply