Clean Install with pfsense 2.0 using transparent firewall



  • I tried to setup pfsense 2.0-RC1 (i386)
    my configuration follow this
    ISP(internet) –> Cisco router 3750 --> Cisco switch 2960 --> more than one pc
    ISP(internet) --> Cisco router 3750 --> pfsense 2.0-RC1 (i386) --> Cisco switch 2960 --> more than one pc
    Setup was ok
    Lan card is xl0 and is connected to the cisco switch through network and has 10.169.92.30
    Wan card is sis0 and is LINK DONW state.
    I have setup the gateway at 10.169.92.1 my range is 10.169.92.1/22 meaning 10.169.92.xxx - 10.169.95.xxx
    DHCP is disable since there is a DHCP server on the network
    I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).
    Firewall rules are left as is, nothing was to add or remove.
    What am I doing wrong???
    If anyone can help me please

    ps. I am staring new topic since "Cry Havok" wrote
    "Please don't post unrelated questions in somebody else's topic - start your own topic and it'll be easier to help you without confusion.
    When you do that, don't forget to give us more information. All you've said is that "nothing worked" - but not what you mean by that. Knowing all the IP ranges in use would be helpful too. "

    I said that the ip range is 10.169.92.1/22 my gateway is 10.169.92.1 my pfsense LAN card is 10.169.92.30, WAN card is 10.169.92.31.



  • you're having same subnet both sides of pfsense? Do you have nat turned on?



  • yes both interfaces share the same subnet? Don't know if this is correct but I can't change either side
    Nat is at Outbound tab "Automatic outbound NAT rule generation(IPsec passthrough included)"
    erything else is blank
    thanks



  • Okay.. I'm not sure how pfsense is going to behave but, what i've learn from the past(d-link, etc) that this configuration isn't preferred if you're having nat on.
    Are you trying to run some rule filtering or transparent proxy or what?



  • As I said, it was a clean install. So everything is at the default state.
    The only thing that I have set up, is the two network cards, the IP's for them and the gateway, which I created(or add which ever term you prefer) a new gateway.
    Nat, firewall rules and packages are left as is, from the setup procedure.
    So I think that the answer to the last question "Are you trying to run some rule filtering or transparent proxy or what?" is No.
    Later on we need to do rule filtering and set up a proxy eg squid, but now we want to act just as firewall.
    thanks for the reply



  • You can't put the same subnet on 2 interfaces and expect routing etc to work. Unless you really know what you're doing you must keep the subnets different.



  • It's a public network so nothing can be change.
    My gateway is 10.169.92.1 my DHCP range given from the public network is 10.169.92.1/22 and is executed by an DHCP server inside the company.
    I need to setup pfsense 2.0 with these settings. PLEASE can anybody provide any help? ??? ???
    Lan card is set to 10.169.92.30/22 as already wrote.

    ps with pfsense 1.3 was working fine but the machine broke and we have no support from this person



  • If it worked before then either you weren't using your entire /22 on both interfaces or it was set up as a transparent firewall. You really need to find out how it used to be set up so that we can help you duplicate the configuration.



  • we were using the entire /22 on both interfaces, infact both cards had the same IP's as they have now.
    but I think it was working as transparent firewall

    ps. on a quest for the truth I have found this http://pfsense.trendchiller.com/transparent_firewall.pdf
    Followed all the steps but no I can't connect pfsense to network because is working hour…so I can't test it now



  • It does sound like it was set as a transparent firewall before, that's the only way that would have worked.

    Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.



  • @Cry:

    It does sound like it was set as a transparent firewall before, that's the only way that would have worked.

    Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.

    I found it at the support page, yes things have change but I can't find a newer one. Hope I did the settings correct.



  • Is it possible to recover the configuration file from the system that broke?



  • :( unfortunately no because the system disk crashed
    @Cry Havok is there a practical guide in order to do the firewall transparent??? and where ?



  • I assume you've already checked the pfSense documentation? I'd expect that the pfSense book covers it, but otherwise I don't know.



  • Even if your configuration is correct it is not going to be able to do much that is useful while
    @verylife78:

    Wan card is sis0 and is LINK DONW state.
    . . .
    I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).

    Is your WAN link still down? Maybe the pfSense WAN interface or the corresponding Cisco interface or the cable between them is broken.

    @verylife78:

    It's a public network so nothing can be change.

    The 10.x.x.x addresses are PRIVATE addresses as far as the Internet is concerned. Maybe that makes a difference in respect to what can be changed.



  • @wallabybob
    You went way back…. with the quote reply
    WAN card is not at DOWN state since I follow the instructions for the transparent firewall
    I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
    I have attached the start page in order to understand.
    Now the only cable that is connected is the one at LAN card, but I have followed the instructions in order to setup the transparent firewall.
    Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
    Waiting for an answer.




  • @verylife78:

    I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings

    It is important to get public/private distinction clear when it comes to deciding how to set the per-interface settings of Block private networks (e.g. Interfaces -> LAN, scroll down to private networks). I presume you have it unchecked. But can you explain why the firewall is blocking the LAN traffic shown in the screen capture of the previous reply?

    @verylife78:

    Hope I made my self clear and sorry for any language mistakes, my native language is Greek.

    Your english is way better than my Greek  :)


  • Netgate Administrator

    I assume it was this guide that you followed?
    http://pfsense.trendchiller.com/transparent_firewall.pdf

    Looking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.

    What is working at the moment?

    Steve



  • at the moment because we are depending 100% from the web I can't do any tests
    But last night (now it's morning time) when I plugin the pfsense box, NOTHING pass through, all the internet activity was blocked. But from my pc when I ping the router(gateway) at 10.169.92.1 it reply back, but when I enter a url address at the browser, the page is not loading. Also the network icon (Win7) it has a yellow triangle, no internet connection.
    Probably some firewall rules block everything.
    First I need to allow everything in order to work, and then I could start blocking.
    When I check at the logs everything is blocked.
    The action that triggered the block action is
    1. @1 scrub in on xl0 all fragment reassemble
    2. @1 block drop in log all label "Default deny rule"
    Which is the default deny rule that applies always?
    I am attaching 2 images from the rules at WAN and LAN card. One I added my self from the logs






  • Please try disabling the 2 blocking rules.



  • @Cry:

    Please try disabling the 2 blocking rules.

    Do those blocking rules come from enabling Block private networks on the corresponding interface?



  • @CryHavok which 2 blocking do I have to disable?
    @wallabybob block private networks is Disable on both LAN and WAN interfaces, because my network is 10.xxx.xxx.xxx, but block bogon networks is Enable.
    thanks for the help people. My organization, if the firewall works, will not spend 8.500 euro for a firewall appliance.



  • You only have 2 blocking rules - the ones with the red boxes next to them.



  • If you're having bogon network both sides, isn't that against block bogon rules like Cry Havok is trying to say. ???



  • Recently I read news that all IPv4 addresses had been allocated to regional NICs. That would seem to mean that there are no bogon networks. This suggests that "block bogon networks" might be in untested territory. (I'm not familiar with the internals of the firewall. In a firewall rule "empty set" might have the same representation as "don't care" which, in the displayed rules, would end up blocking everything.)

    I suggest you also disable the Block bogon networks and see what happens to your firewall rules, traffic and firewall logs. You will probably also need to reset the firewall states to make sure the rule changes take effect.



  • The (as tracked by Team Cymru) bogon list still contains a number of IP ranges, so it isn't empty:

    0.0.0.0 255.0.0.0
    10.0.0.0 255.0.0.0
    127.0.0.0 255.0.0.0
    169.254.0.0 255.255.0.0
    172.16.0.0 255.240.0.0
    192.0.0.0 255.255.255.0
    192.0.2.0 255.255.255.0
    192.168.0.0 255.255.0.0
    198.18.0.0 255.254.0.0
    198.51.100.0 255.255.255.0
    203.0.113.0 255.255.255.0
    224.0.0.0 224.0.0.0



  • Interesting. Seems bogon is not well defined. Wikipedia says (in http://en.wikipedia.org/wiki/Bogon_filtering) Bogons are not the same as reserved private address ranges, such as 10.x.x.x and 192.168.x.x, which are reserved for private networks.[1]).

    How does pfSense define bogons?



  • I disable all the bogon options and decided to do a reboot.  :P
    The system rebooted I see the logon screen but I can't connect to pfsense machine, neither from the pfsense machine I can ping the router or any other ip on my network.
    Any ideas??

    ps I did all the obvious checks, for cable, if the port is ok, if the switch port is ok, if the switch is ok, the lan card has both lights amber is on and green is flashing.



  • Have you acted on this observation:
    @stephenw10:

    Looking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.

    Start with the simplest configuration: can you connect to the web GUI from a machine on the same subnet as your LAN interface? If not, how are you trying to connect? (ssh?, http? ping? etc) What response do you get? (timeout? no route to host? etc) Can you connect (by ssh, ping, telnet etc) from the pfSense console to a machine on the same subnet as your LAN interface?

    Does it make a difference if you specify the target of the connect attempt by IP address rather than name (or name rather than IP address)?

    In short, a bit more information about what you trying to do and where you are trying to do it would help those attempting to help you solve the problem. The information about cables and NIC lights was useful.



  • The problem is when I define a static IP at the WAN interface, when I reboot I can't access the web GUI, neither with ssh. From the machine I can't ping anything.
    BUT when I change the static WAN IP to dynamic everything is OK
    Still I haven't moved the machine to it's place so is not connected with the router



  • If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.



  • @Cry:

    If this is a transparent firewall, why are you assigning IP addresses to the LAN and WAN interfaces? A transparent firewall doesn't have IP addresses on it's LAN or WAN.

    Yes this is going to work as a transparent  firewall…
    Do you mean that I don't have to set up an IP on LAN neither WAN? and I am going to access the web gui?



  • Traditionally through a third interface.



  • Am I going to assign a DHCP type of connection at both LAN and WAN?
    Can you be more specific about what is need to be done?



  • The traditional method of managing a transparent firewall is to have 3 interfaces. Two are used for the transparent firewall, neither have IP addresses. The third is used for management and has an IP address.

    I haven't done this with 2.0 so can't say for certain that this is how you have to manage 2.0 in transparent mode.

    It would probably be sensible at this point for you to complete your testing using a virtual environment. Then you don't have to keep interrupting the network traffic to find out if your latest change has worked.


  • Netgate Administrator

    Something like this? http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

    I'd have to experiment with the bridging in 2.0 to try and setup something like that.

    Steve

    Edit: Actually reading through that m0n0wall guide it's almost identical to the pfSense transparent firewall guide.



  • I think something like this.
    But I am not sure if transparent firewall has the same meaning as the filtered bridge. As at the begging it explains that usually is used as DMZ but more frequently use is for protecting servers where there are no LAN hosts

    I attached an image.
    Now the WAN and OPT interfaces are bridged  and the WEB GUI is accessible through lan interface at 10.169.92.30\22. Is that correct? If I set an IP at the OPT interface I cant access the pfsense, that's why WAN and OPT don't have IP and LAN has.
    I need to set the firewall rules in order all the traffic that comes from wan to be guided to OPT interface

    ![pfsesense forum.png](/public/imported_attachments/1/pfsesense forum.png)
    ![pfsesense forum.png_thumb](/public/imported_attachments/1/pfsesense forum.png_thumb)



  • A filtering bridge is another phrase for a transparent firewall.

    The 2 bridged interfaces shouldn't have IP addresses and only the management interface (which isn't used to route traffic) should have an IP.



  • but both guides for m0n0wall and pfsense say that interfaces have an IP address but you advised me that both interfaces should not have and IP except the LAN that is used for management. Finally which is correct?
    And if I connect the WAN interface at the router and the OPT1 interface to my network, and I control the pfsense through the LAN interface is this correct or the pfsense can understand that the traffic should be guided from WAN to LAN and vice versa?
    Please answer me, thanks



  • anybody ? ???? people … please !


Locked