Clean Install with pfsense 2.0 using transparent firewall
-
I tried to setup pfsense 2.0-RC1 (i386)
my configuration follow this
ISP(internet) –> Cisco router 3750 --> Cisco switch 2960 --> more than one pc
ISP(internet) --> Cisco router 3750 --> pfsense 2.0-RC1 (i386) --> Cisco switch 2960 --> more than one pc
Setup was ok
Lan card is xl0 and is connected to the cisco switch through network and has 10.169.92.30
Wan card is sis0 and is LINK DONW state.
I have setup the gateway at 10.169.92.1 my range is 10.169.92.1/22 meaning 10.169.92.xxx - 10.169.95.xxx
DHCP is disable since there is a DHCP server on the network
I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).
Firewall rules are left as is, nothing was to add or remove.
What am I doing wrong???
If anyone can help me pleaseps. I am staring new topic since "Cry Havok" wrote
"Please don't post unrelated questions in somebody else's topic - start your own topic and it'll be easier to help you without confusion.
When you do that, don't forget to give us more information. All you've said is that "nothing worked" - but not what you mean by that. Knowing all the IP ranges in use would be helpful too. "I said that the ip range is 10.169.92.1/22 my gateway is 10.169.92.1 my pfsense LAN card is 10.169.92.30, WAN card is 10.169.92.31.
-
you're having same subnet both sides of pfsense? Do you have nat turned on?
-
yes both interfaces share the same subnet? Don't know if this is correct but I can't change either side
Nat is at Outbound tab "Automatic outbound NAT rule generation(IPsec passthrough included)"
erything else is blank
thanks -
Okay.. I'm not sure how pfsense is going to behave but, what i've learn from the past(d-link, etc) that this configuration isn't preferred if you're having nat on.
Are you trying to run some rule filtering or transparent proxy or what? -
As I said, it was a clean install. So everything is at the default state.
The only thing that I have set up, is the two network cards, the IP's for them and the gateway, which I created(or add which ever term you prefer) a new gateway.
Nat, firewall rules and packages are left as is, from the setup procedure.
So I think that the answer to the last question "Are you trying to run some rule filtering or transparent proxy or what?" is No.
Later on we need to do rule filtering and set up a proxy eg squid, but now we want to act just as firewall.
thanks for the reply -
You can't put the same subnet on 2 interfaces and expect routing etc to work. Unless you really know what you're doing you must keep the subnets different.
-
It's a public network so nothing can be change.
My gateway is 10.169.92.1 my DHCP range given from the public network is 10.169.92.1/22 and is executed by an DHCP server inside the company.
I need to setup pfsense 2.0 with these settings. PLEASE can anybody provide any help? ??? ???
Lan card is set to 10.169.92.30/22 as already wrote.ps with pfsense 1.3 was working fine but the machine broke and we have no support from this person
-
If it worked before then either you weren't using your entire /22 on both interfaces or it was set up as a transparent firewall. You really need to find out how it used to be set up so that we can help you duplicate the configuration.
-
we were using the entire /22 on both interfaces, infact both cards had the same IP's as they have now.
but I think it was working as transparent firewallps. on a quest for the truth I have found this http://pfsense.trendchiller.com/transparent_firewall.pdf
Followed all the steps but no I can't connect pfsense to network because is working hour…so I can't test it now -
It does sound like it was set as a transparent firewall before, that's the only way that would have worked.
Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.
-
@Cry:
It does sound like it was set as a transparent firewall before, that's the only way that would have worked.
Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.
I found it at the support page, yes things have change but I can't find a newer one. Hope I did the settings correct.
-
Is it possible to recover the configuration file from the system that broke?
-
:( unfortunately no because the system disk crashed
@Cry Havok is there a practical guide in order to do the firewall transparent??? and where ? -
I assume you've already checked the pfSense documentation? I'd expect that the pfSense book covers it, but otherwise I don't know.
-
Even if your configuration is correct it is not going to be able to do much that is useful while
@verylife78:Wan card is sis0 and is LINK DONW state.
. . .
I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).Is your WAN link still down? Maybe the pfSense WAN interface or the corresponding Cisco interface or the cable between them is broken.
It's a public network so nothing can be change.
The 10.x.x.x addresses are PRIVATE addresses as far as the Internet is concerned. Maybe that makes a difference in respect to what can be changed.
-
@wallabybob
You went way back…. with the quote reply
WAN card is not at DOWN state since I follow the instructions for the transparent firewall
I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
I have attached the start page in order to understand.
Now the only cable that is connected is the one at LAN card, but I have followed the instructions in order to setup the transparent firewall.
Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
Waiting for an answer.
-
I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
It is important to get public/private distinction clear when it comes to deciding how to set the per-interface settings of Block private networks (e.g. Interfaces -> LAN, scroll down to private networks). I presume you have it unchecked. But can you explain why the firewall is blocking the LAN traffic shown in the screen capture of the previous reply?
Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
Your english is way better than my Greek :)
-
I assume it was this guide that you followed?
http://pfsense.trendchiller.com/transparent_firewall.pdfLooking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.
What is working at the moment?
Steve
-
at the moment because we are depending 100% from the web I can't do any tests
But last night (now it's morning time) when I plugin the pfsense box, NOTHING pass through, all the internet activity was blocked. But from my pc when I ping the router(gateway) at 10.169.92.1 it reply back, but when I enter a url address at the browser, the page is not loading. Also the network icon (Win7) it has a yellow triangle, no internet connection.
Probably some firewall rules block everything.
First I need to allow everything in order to work, and then I could start blocking.
When I check at the logs everything is blocked.
The action that triggered the block action is
1. @1 scrub in on xl0 all fragment reassemble
2. @1 block drop in log all label "Default deny rule"
Which is the default deny rule that applies always?
I am attaching 2 images from the rules at WAN and LAN card. One I added my self from the logs
-
Please try disabling the 2 blocking rules.
