Setup Guide: Transparent Filtering Bridge (Public IPs on LAN) on 2.0-RC1

  • Transparent Filtering Bridge
    If you would like to route public IP addresses on to your LAN with no NAT while filtering traffic, this is a guide in it's simplest form with just 2 interfaces we will use for example, WAN and LAN.

    For ALL of these steps, after changing the settings DO NOT APPLY SETTINGS or you may get locked out during the process. After it's done you can reboot.

    It's recommended that you upgrade to the newest snapshot.

    1) WAN interface: add your IP address, subnet and gateway.

    2) LAN interface: Set IP Address to "None" (You're only using this as a bridge member interface)

    3) LAN Rules: Change the default ["LAN Subnet" to "ANY"] rule to ["ANY" "ANY"].
    Because there is no IP address on the LAN and thus no LAN subnet you would otherwise get locked out of pfSense. This is very important.

    4) NAT -> Advanced Outbound NAT
      - Change the mode to "Manual Outbound NAT rule generation".
      - Delete the default rule so you have no rules listed, then apply changes.

    5) You need to create a WAN rule to allow SSH and HTTPS to the WAN address.
    If you cannot access pfSense from the LAN, you can at least recover access from the WAN. This step is not needed but recommended. Once everything is running don't forget to delete these WAN rules.

    6) Reboot, you're done!

    NOTE to WatchGuard X-Core Users: I have found that unless you set the duplex to a fixed speed on the Watchguard, packet loss does occur. On the current image available from the mirror, there is no duplex setting, this is part of a newer snapshot so make sure to update. Otherwise you will be stuck looking for the source of the packet loss. Very important, also set the duplex to match pfSense on the connected devices, if this is a switch and a router, change both to reflect the settings in pfsense. They all should match each other. This is a good general rule for ANY network equipment. There are too many issues with autosensing. Of course not all equipment offers this option, many consumer grade routers and switches do not.

    I will continue to expand on this topic. Thanks to cmb for help and many clarifications!

  • Hi,
    Thanks very much for starting this guide.

    I was wondering about the rules for the Wan do they need to be as well Any?
    So for both Wan and Lan all rules are set to Any?

    Another question I have is do I need to set the Gataway as well in the rules (under advanced features) because it shows now * ???


  • Hi Nicklas:
      Once the firewall is setup you can remove the any rule on the WAN, that was just in place if you accidentally applied a setting before completing the setup, it would allow you to login to the WebUI using the WAN interface. It was only a temporary anti-lockout rule. Remove it when you're done.

    Just use the WAN rules as you would with any firewall, allow traffic to the IPs/ports you want, it's auto deny so unless you add a rule it will automatically block traffic.

    As for gateway, no leave that * on the WAN rule. Any traffic coming in is already on that interface/gateway.

  • Thanks very much, one more question if you don't know because I still struggle a bit with this, i don't know if this is a difference with v123 and v2, but because Transparent/Bridge is layer2, we do need to turn off the NAT, in V123 I did that under Firewal:NAT:Outbond, tick Manual and then edit the (autocreated) rule, and TICK the option No NAT (NOT) to stop NATing!

    Just wondering why you delete this rule because then we don't turn off the NAT, unless this is moved?


  • Netgate Administrator

    I'm assuming that you have tested this and it works. I would otherwise have thought it wouldn't work.
    The confusing part for me is that to act as a layer 2 device you should have WAN and LAN bridged in some way, otherwise you are routing. In that case there seem to be many situations where pfSense wouldn't know where to route packets if it has no ip address.

    I would have thought it better to setup as suggested by JimP:

    Traditionally they do not (have an IP address), but it's acceptable to have an IP on the WAN side and bridge the LAN to WAN, leaving LAN without an IP address.

    On 2.0 you'd actually want to have WAN and LAN without an IP, and have the bridge interface assigned and have your "WAN" IP be assigned directly to the bridge interface.

    However since you've tried it and I haven't I'm open to your thoughts!  ::)


  • Hi Steve,

    I have created the bridge with the Wan and Lan, I work only with wan and lan and not as suggested with an opt, this because i have put my 4 nics in a bond (lagg)  You def. need ip on Wan, how else would you access the webgui? i am just a beginner and not a tech, but since it should work as layer 2 so yes routing only, you need to use the option filter on the bridge (system,advanced) and maybe turn filtering off on wan and and ( but that last bit i haven't tested :-)) don't want to lose control yet over the webgui….

    ![Bridge Lan with Wan.jpg](/public/imported_attachments/1/Bridge Lan with Wan.jpg)
    ![Bridge Lan with Wan.jpg_thumb](/public/imported_attachments/1/Bridge Lan with Wan.jpg_thumb)
    ![Bonding - LAGGs with the nics.jpg](/public/imported_attachments/1/Bonding - LAGGs with the nics.jpg)
    ![Bonding - LAGGs with the nics.jpg_thumb](/public/imported_attachments/1/Bonding - LAGGs with the nics.jpg_thumb)

  • Netgate Administrator


    You def. need ip on Wan, how else would you access the webgui?

    Like JimP says above, you can assign an IP to the bridge interface itself and access the web GUI through that.

    I can't imagine it makes much difference though and if your setup is working I'd stick with it.

    Reading the first post in this thread it seems there should be an extra line something like:

    2.5) Create a bridge interface and add WAN and LAN to it.  :-\


  • Yes, i agree with you that the create a bridge was missing, but i am working hard to put up my document soon so others can reply/advice to it, I just wish there was a separate forum for this called : Transparent / Bridge mode with filtering enabled…    ;-)

  • Dear Nicklas,

    I really look forward when your document is ready. Last night I am trying to upgrade from 1.2.3 rc 3 to 2.0 rc3 and ran in a lot of problems. I got the traffic in and out through the firewall but I can only access the Gui from the Lan side (it was a problem that I cannot access the firewall remotely). Also the firewall has DNS issues itself which cannot ping external or dns look up. But the servers behind the firewall can access SSH, WHOIS, DNS, FTP, WWW..pop…etc are all good.

    So, I am now restart the whole setup from scratch instead of upgrading it and import the configuration file.

    May I ask a question: On the Wan side rules, the "Lan net" is replaced to "any" ? is that how you did on yours?