Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clean Install with pfsense 2.0 using transparent firewall

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    44 Posts 7 Posters 22.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      verylife78
      last edited by

      I tried to setup pfsense 2.0-RC1 (i386)
      my configuration follow this
      ISP(internet) –> Cisco router 3750 --> Cisco switch 2960 --> more than one pc
      ISP(internet) --> Cisco router 3750 --> pfsense 2.0-RC1 (i386) --> Cisco switch 2960 --> more than one pc
      Setup was ok
      Lan card is xl0 and is connected to the cisco switch through network and has 10.169.92.30
      Wan card is sis0 and is LINK DONW state.
      I have setup the gateway at 10.169.92.1 my range is 10.169.92.1/22 meaning 10.169.92.xxx - 10.169.95.xxx
      DHCP is disable since there is a DHCP server on the network
      I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).
      Firewall rules are left as is, nothing was to add or remove.
      What am I doing wrong???
      If anyone can help me please

      ps. I am staring new topic since "Cry Havok" wrote
      "Please don't post unrelated questions in somebody else's topic - start your own topic and it'll be easier to help you without confusion.
      When you do that, don't forget to give us more information. All you've said is that "nothing worked" - but not what you mean by that. Knowing all the IP ranges in use would be helpful too. "

      I said that the ip range is 10.169.92.1/22 my gateway is 10.169.92.1 my pfsense LAN card is 10.169.92.30, WAN card is 10.169.92.31.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        you're having same subnet both sides of pfsense? Do you have nat turned on?

        1 Reply Last reply Reply Quote 0
        • V
          verylife78
          last edited by

          yes both interfaces share the same subnet? Don't know if this is correct but I can't change either side
          Nat is at Outbound tab "Automatic outbound NAT rule generation(IPsec passthrough included)"
          erything else is blank
          thanks

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            Okay.. I'm not sure how pfsense is going to behave but, what i've learn from the past(d-link, etc) that this configuration isn't preferred if you're having nat on.
            Are you trying to run some rule filtering or transparent proxy or what?

            1 Reply Last reply Reply Quote 0
            • V
              verylife78
              last edited by

              As I said, it was a clean install. So everything is at the default state.
              The only thing that I have set up, is the two network cards, the IP's for them and the gateway, which I created(or add which ever term you prefer) a new gateway.
              Nat, firewall rules and packages are left as is, from the setup procedure.
              So I think that the answer to the last question "Are you trying to run some rule filtering or transparent proxy or what?" is No.
              Later on we need to do rule filtering and set up a proxy eg squid, but now we want to act just as firewall.
              thanks for the reply

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                You can't put the same subnet on 2 interfaces and expect routing etc to work. Unless you really know what you're doing you must keep the subnets different.

                1 Reply Last reply Reply Quote 0
                • V
                  verylife78
                  last edited by

                  It's a public network so nothing can be change.
                  My gateway is 10.169.92.1 my DHCP range given from the public network is 10.169.92.1/22 and is executed by an DHCP server inside the company.
                  I need to setup pfsense 2.0 with these settings. PLEASE can anybody provide any help? ??? ???
                  Lan card is set to 10.169.92.30/22 as already wrote.

                  ps with pfsense 1.3 was working fine but the machine broke and we have no support from this person

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    If it worked before then either you weren't using your entire /22 on both interfaces or it was set up as a transparent firewall. You really need to find out how it used to be set up so that we can help you duplicate the configuration.

                    1 Reply Last reply Reply Quote 0
                    • V
                      verylife78
                      last edited by

                      we were using the entire /22 on both interfaces, infact both cards had the same IP's as they have now.
                      but I think it was working as transparent firewall

                      ps. on a quest for the truth I have found this http://pfsense.trendchiller.com/transparent_firewall.pdf
                      Followed all the steps but no I can't connect pfsense to network because is working hour…so I can't test it now

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        It does sound like it was set as a transparent firewall before, that's the only way that would have worked.

                        Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.

                        1 Reply Last reply Reply Quote 0
                        • V
                          verylife78
                          last edited by

                          @Cry:

                          It does sound like it was set as a transparent firewall before, that's the only way that would have worked.

                          Do please be aware that that guide you linked to is for a pre-release of V1.0 of pfSense. Things have changed significantly since and following it blindly may cause you major problems.

                          I found it at the support page, yes things have change but I can't find a newer one. Hope I did the settings correct.

                          1 Reply Last reply Reply Quote 0
                          • W
                            wallabybob
                            last edited by

                            Is it possible to recover the configuration file from the system that broke?

                            1 Reply Last reply Reply Quote 0
                            • V
                              verylife78
                              last edited by

                              :( unfortunately no because the system disk crashed
                              @Cry Havok is there a practical guide in order to do the firewall transparent??? and where ?

                              1 Reply Last reply Reply Quote 0
                              • Cry HavokC
                                Cry Havok
                                last edited by

                                I assume you've already checked the pfSense documentation? I'd expect that the pfSense book covers it, but otherwise I don't know.

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wallabybob
                                  last edited by

                                  Even if your configuration is correct it is not going to be able to do much that is useful while
                                  @verylife78:

                                  Wan card is sis0 and is LINK DONW state.
                                  . . .
                                  I tried to connect with the router with normal UTP cable and with an crossover, nothing worked on both cases. (no trafic from pfsense to internet, neither from pc to internet).

                                  Is your WAN link still down? Maybe the pfSense WAN interface or the corresponding Cisco interface or the cable between them is broken.

                                  @verylife78:

                                  It's a public network so nothing can be change.

                                  The 10.x.x.x addresses are PRIVATE addresses as far as the Internet is concerned. Maybe that makes a difference in respect to what can be changed.

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    verylife78
                                    last edited by

                                    @wallabybob
                                    You went way back…. with the quote reply
                                    WAN card is not at DOWN state since I follow the instructions for the transparent firewall
                                    I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings
                                    I have attached the start page in order to understand.
                                    Now the only cable that is connected is the one at LAN card, but I have followed the instructions in order to setup the transparent firewall.
                                    Hope I made my self clear and sorry for any language mistakes, my native language is Greek.
                                    Waiting for an answer.

                                    pfsense_start_page.jpg
                                    pfsense_start_page.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      wallabybob
                                      last edited by

                                      @verylife78:

                                      I said public network, maybe I misused the word "public". I know this address 10.xxx.xxx.xxx are private, but we are using this range in the government (public) buildings

                                      It is important to get public/private distinction clear when it comes to deciding how to set the per-interface settings of Block private networks (e.g. Interfaces -> LAN, scroll down to private networks). I presume you have it unchecked. But can you explain why the firewall is blocking the LAN traffic shown in the screen capture of the previous reply?

                                      @verylife78:

                                      Hope I made my self clear and sorry for any language mistakes, my native language is Greek.

                                      Your english is way better than my Greek  :)

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        I assume it was this guide that you followed?
                                        http://pfsense.trendchiller.com/transparent_firewall.pdf

                                        Looking at your screen grab I see that your firewall is blocking traffic on LAN all of which is coming from a different subnet. If you have only the default LAN allow rule you will have to edit it or add more rules to allow traffic from a different subnet.

                                        What is working at the moment?

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          verylife78
                                          last edited by

                                          at the moment because we are depending 100% from the web I can't do any tests
                                          But last night (now it's morning time) when I plugin the pfsense box, NOTHING pass through, all the internet activity was blocked. But from my pc when I ping the router(gateway) at 10.169.92.1 it reply back, but when I enter a url address at the browser, the page is not loading. Also the network icon (Win7) it has a yellow triangle, no internet connection.
                                          Probably some firewall rules block everything.
                                          First I need to allow everything in order to work, and then I could start blocking.
                                          When I check at the logs everything is blocked.
                                          The action that triggered the block action is
                                          1. @1 scrub in on xl0 all fragment reassemble
                                          2. @1 block drop in log all label "Default deny rule"
                                          Which is the default deny rule that applies always?
                                          I am attaching 2 images from the rules at WAN and LAN card. One I added my self from the logs

                                          pfsense_lan.jpg
                                          pfsense_lan.jpg_thumb
                                          pfsense_wan.jpg
                                          pfsense_wan.jpg_thumb

                                          1 Reply Last reply Reply Quote 0
                                          • Cry HavokC
                                            Cry Havok
                                            last edited by

                                            Please try disabling the 2 blocking rules.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.