Transparent Firewall - Setup



  • Hi

    Very new to this and am trying to setup a transparent firewall within our subnet to have certain hosts sit behind it so that traffic and be filtered inbound and outbound to those hosts behind the bridge.

    Currently we have a single /25 subnet 172.29.243.128 255.255.255.128
    Gateway is 172.29.243.254

    All our internal PC/servers obviously route internet traffic out through the gateway fine.

    We are looking at PCI requirements and I want to put a transparent firewall/bridge in place so I don't have to change any addressing and to filter traffic to from the DB servers that will eventually sit behind it.

    Have set pfsense up as per the doc I found and can get to the gui on 172.29.243.205 (WAN interface). I set the LAN interface to 172.29.243.206. I've got a test pc sitting on the LAN interface at the moment and it can get a DHCP address from our lan server (on the wan interface) fine and it is able to ping all existing PC's servers ping and also browse out to the internet via the network gateway on 172.29.243.254.

    Problem is I cannot get any traffic from our normal network back through the pfsense WAN interface to the test PC sitting on the LAN interface. I have rules set as any - any on both interfaces.

    Any help very much appreciated.



  • I'm not understanding what you are trying to do - can you clarify?  Also, bad idea to put IP on both LAN and WAN interface, especially in the same subnet.  If it is really to be a transparent firewall, just put an IP on the LAN?



  • Simply trying to have a couple of servers in the subnet sit behind a transparent firewall so that traffic to/from the servers can be controlled via rules. Don't want to change any IP addressing and simply have everything remain in the same subnet.

    FYI the setup doc I followed for this (trendchiller) showed IP addresses for both LAN and WAN on same subnet



  • You shouldn't have both interfaces in the same subnet tho.



  • FYI the setup doc I followed for this (trendchiller) showed IP addresses for both LAN and WAN on same subnet. It says the LAN IP is ignored when you enter bridged mode so it doesn't matter what you put in.



  • Well, I suppose if they are bridged it is okay.  Why do you need two IPs though?



  • I don't need 2 ip's.

    I simply want a management IP to get to pfsense.



  • So put one on the LAN and none on the WAN.  That said, what I was asking for before was a clarification as to what your problem is.  It is not very understandable as phrased.  e.g. what you are trying to do, what is working and what is not.



  • Following the doc I can get things setup so that the server behind pfsense can get to the rest of the subnet fine. Server is on the LAN interface and the rest of the network is on the WAN interface. Problem is I cannot get traffic back the other way i.e none of the rest of the network can get back through pfsense to the server even though there is an Any - Any rule setup on BOTH the LAN and WAN interfaces.



  • Ah, ok, now I understand, sorry for being dense.  I am wondering - the WAN has the default "block rfc1918 addresses" deal - are you still checked?  I note you have a private range, and I think those checkboxes set rules that you don't normally see and I think they might come first before your allow all.  If so, try unchecking that?



  • No, unchecked these as per the setup doc.

    http://pfsense.trendchiller.com/transparent_firewall.pdf

    Based on the date of the doc it seems that it was created for a much earlier version of pfsense. I wonder if there are other changes that need to happen with the v1.2.3 I'm using.



  • Can you post /tmp/rules.debug?


Log in to reply