OPT WAN interface bridged with other OPT interface

dath

Hi

I have some problems setting up the following with pfSense and you guys (or girls) might be able to help me:

WAN1 (WAN) –--  pfSense –- LAN
WAN2 (Transit) – /          --- DMZ

WAN1 is on the WAN interface with dynamic IP, this is the main connection the Internet since it is faster than WAN2
WAN2 is on an OPT interface, Transit's gateway is on 82.x.0.1 and they give out 82.x.x.1-254 addresses through DHCP
LAN is on the LAN interface
DMZ is on an OPT interface

I want WAN & LAN functioning like a "normal" WAN+LAN setup, with firewall and NAT. This was no problem setting up and everything works fine.

The tricky part is (at least for me) that I want Transit and DMZ be bridged (and filtered). From Transit I can get several external IPs from their DHCP server and I want the computers inside DMZ to each get an external IP from Transit's DHCP server so I don't have to use NAT.

I have tried to bridge DMZ with Transit but I do not get an external IP from Transit with a computer inside DMZ. I followed the tutorial "setting up pfsense as transparent firewall" (http://pfsense.trendchiller.com/transparent_firewall.pdf) and used Transit as WAN and DMZ as LAN but it did not work.
I tried to set the IPs static on the DMZ computer it it doesn't work either. I have tried setting the gateway for the DMZ computer to both pfSense's IP (on the DMZ interface).

Is this even possible to do?

(I also don't want WAN2 or DMZ to touch the LAN net, but I guess thats taken care of with the default block rule)

If you don't understand what I want to accomplish or if some information is missing don't hesitate to ask (it is very late here, so I might have missed something ;)).

I have not been able to find a solution for this on any of the support mediums, but I have a faint memory of seeing something like this a while back but I can't seem to find it again.

dath

I guess what I am really asking is; if this http://pfsense.trendchiller.com/transparent_firewall.pdf is possible between two OPT interfaces (one connected to a second WAN) while being  parallel to a "normal" WAN->LAN setup. And if so, how.

hoba

In general this should work, however nobody has tested it in that configuration I guess. Please describe how you configured the transit and the dmz interface in the webgui.

dath

@hoba:

Please describe how you configured the transit and the dmz interface in the webgui.

Transit (connected to ISP#2):
Static IP 82.x.0.113/22 with 82.x.0.1 as gateway.
Not bridged.

DMZ (connected to the DMZ local network):
Bridged with Transit interface and gateway set to 82.x.0.1.

I've tried to set a static IP configuration on the client (connected to the DMZ network) without getting git to  work.
The settings I used was:
IP: 82.x.0.112
Netmask: 255.255.252.0 (=/22)
Gateway 82.x.0.1 (I also tried gateway = 82.x.0.113 with no luck, but it is supposed to be .0.1 right?).

I temporarily disabled the "Filtering bridge" option on pfSense so all traffic should flow freely without any rules in place.

I have tried this with a separate pfSense, using the WAN and LAN interfaces as indicated in the filtering bridge tutorial and that works fine. But I don't want to use two firewalls/computers, I want all the magic done in one box.

• Daniel

hoba

I think there is something wrong with your config. Please try this:

Transit Interface: this interface seems to be ok

DMZ: bridge with transit, don't assign gateway, don't assign IP (IP get's greyed out on setting bridgemode, we might turn off gateway too).

At system>advanced enable filtering bridge.

At firewall>rules, dmz create a any protocol, any source, any destination rule.

At the DMZ hosts you have to use the gateway of the transit interface, not the transit interface IP.

Now try if you can access the internet from a host behind the dmz interface.

dath

@hoba:

Now try if you can access the internet from a host behind the dmz interface.

Nope, no go.

I'm beginning to wonder if it might be the network cards them selfs, one is an old ISA card (but it works when I connect a computer and ping it). Unfortunately I don't have another PCI slot in the pfSense computer, but I'm gonna try the same thing in another computer if I can find a suitable patient :).
I'll report back how it goes.

Thanks for the help so far, and keep up the good work!

• Daniel

hoba

You might consider getting a multi port PCI, however as you machine still has ISA slots I consider it quite old and maybe you should replace it anyway then  ;)