Transparent Bridge Filtering with Public IPs on 2.0-RC1 [Resolved]



  • Hi everyone.

    Does anyone know the steps involved to turn pfSense in to a firewall for public IPs only with no NAT. There is a PDF guide out there but it was for the 1.2.3 version.

    This would be on 2.0-RC1

    Public IPs/Cisco Router -> pfsense -> Public IPs on LAN

    Basically, just need it to be able to firewall public IPs and use the limiter for bandwidth. Can't use NAT for this setup. Thank you for all of your help!



  • it's basically the same as v1.2.3, with the only exception being you create the bridge under Interfaces>assign, Bridges tab, and you should specify "none" for the LAN IP.



  • @cmb:

    it's basically the same as v1.2.3, with the only exception being you create the bridge under Interfaces>assign, Bridges tab, and you should specify "none" for the LAN IP.

    Hey Chris! Thank you for your help. I was not sure on that, the rest of it seams pretty straight forward. What about the setting in system tunables bridge_filtering, should that be set to 1? and should ftpproxy be disabled as well there?

    I think it may be wise for me to buy the pfsense book :-)



  • and another question, sorry!

    When using multiple public IPs on the WAN with a transparent firewall do we still need to use ARP such as CARP?



  • Ok, I got it working but something seams wrong.

    The only way I could ping the wan address from the lan side was to create a rule on the WAN side, the LAN side rule to allow ICMP to WAN address didnt work but when I added it on the WAN side it works. Any ideas?

    Same thing with the WebUI and SSH, I kept getting locked out unless I created a wan side rule, and my computer was on the LAN side.

    Problem is, the wan side shouldnt allow access to the WebUI, it almost seams like it's in reverse. Maybe with the bridge the LAN IP should be used and the WAN should be set to none? I have right now the WAN IP set and no LAN IP set.

    I also set pfil_bridge to 1 in system tunables

    Thanks guys, if I can understand this one a bit more it would be a huge help.



  • Ok, figured out the problem on why I was getting locked out.

    The default LAN rule is to allow the LAN subnet access to ANY, only problem is in a transparent bridge there is no LAN Subnet!   Just modify that rule to: ANY to ANY (*  *) on the LAN rules and you're in business.

    The 1 question remains, when using a transparent bridge and public IPs, do you still need to use ARP/CARP to allow other public IPs to pass thru?



  • Alright, problem solved. As it turns out you do not need CARP or any other form of ARP when using a transparent firewall. The public IPs are routed no problem. Not sure if this is the case for everyone, or if it has to do with me using a Cisco router that does broadcasts.

    Hopefully the posts here will help out others, enjoy!



  • You only need virtual IPs where the firewall must answer on layer 2 on those IPs, that's not the case when bridging (and VIPs will break bridging environments as it will create an IP conflict).



  • @cmb:

    You only need virtual IPs where the firewall must answer on layer 2 on those IPs, that's not the case when bridging (and VIPs will break bridging environments as it will create an IP conflict).

    Thank you Chris, enjoy your weekend!


Locked