Transparent firewall with VLANs



  • I'm having a bit of an issue figuring out how to configure pfSense to function the way I would like it to (not even 100% sure it can).  I'm setting up a firewall that will be dividing my department at a unvierstity from the rest of the unviersity network (we're baypassing all of their equipment to get a "strait" connection to the world). The campus network will be passing us 3 vlans to which we then have to manage those 3 vlans on our side as well. The basic layout is going to look like this.

    So far I have set the LAN interface to be bridged with the WAN, but can't access anything from the WAN ip, as the LAN ip is still acting as the main access address.  I have also added VLANs on both the LAN and WAN so that they function correctly (no clue if this is right).

    I'm pretty much lost, I have never dealt with VLANs before, or a firewall in this amount of detail.  I will fill any holes of information that are missing as well.

    Thanks in advance for the help!



  • I cannot figure out what is the purpose of having a pfsense box that acts as a simple "repeater" of both traffic and ips. I guess you must have different ips between lans/vlans and wans to make pfsense to manage them thru the firewall.



  • Yes - I agree….

    You will have to figure out what to use to separate your vlans (switch perhaps that supports 802.1q)

    Or you use one port from their side to your Wan side and then route to your inside subnet using your own DHCP. i.e. your inside will not resemble their outside addressing and will be different. Then pfSense can work like it should - separate vlan and examine data flow through your inside/outside addressing.
    Does this help?

    H.



  • What would be more beneficial is bandwidth, how much ppm do you intend to push?  Bandwidth you're working with?  It may be better to load ballance over the three connections.  Can you give a better description of what is/will be done with this firewall/network setup?



  • At current time our department is behind all the networking equipment that the university has in place, in turn this is keeping the department from doing what we need to do.  There is a traffic shaper in place that actually made it to where it took a student 5 days to download a 1MB document, the University has a 1Gb internet connection.  After talking to the IT department they have agreed to let us by pass all their equipment, only thing is we have to have our own firewall. If we didn't we would be wide open on the internet.  Every switch that is on campus supports 802.1q, our firewall box supports it as well.

    The setup is going to be one VLAN for labs (100+ machines), one for staff (25+), and one for servers (60+).  Once again If there is anymore information that is need I will post it.

    The point of using the relay is to be able to by pass all the shapers, we have to use VLANs because the networks have already been put in place in an area that can't be redone.



  • @hmeister:

    Yes - I agree….

    You will have to figure out what to use to separate your vlans (switch perhaps that supports 802.1q)

    Or you use one port from their side to your Wan side and then route to your inside subnet using your own DHCP. i.e. your inside will not resemble their outside addressing and will be different. Then pfSense can work like it should - separate vlan and examine data flow through your inside/outside addressing.
    Does this help?

    H.

    We can't change the ip subnets on our LAN side, they have to stay in the same range.



  • Would you like to load-balance over the three connections they are giving you?  Do you have to remain a transparent firewall to them?  Are the clients static or dhcp?  Do you need more specific rules/blocking on the lab machines?  What do each of the tiers (staff, lab, servers) need access to?



  • Load balancing isn't an option, all 3 VLANs are coming in on one connection. All I know is that we can't us NAT.  Lab and staff machines are DHCP, servers are static.  But the DHCP server runs on a separate machine. Lab machines are normally nothing special, unless theres a special project going on that will require outside communication.  All the Lab and Staff need to talk to the servers and thats about it.



  • I have only worked with transparent on one interface per side setup.  I haven't done it with 3 in and 3 out before.  Maybe someone else knows a bit more than I on what it can and cannot be done in regards to transparent firewalling on multiple vlans.



  • Thanks!  So far the best luck I've had is treating each VLAN interface as a physical interface and setting it up as if I was the WAN and LAN for the transparent instructions.


Locked