Best practices for bridging firewall?



  • I originally wanted to do a bridging firewall when I got started with pfsense-1.2.x, but could never make it work (wan<->opt1, with management on lan).

    I did some testing yesterday with 2.0-rc3 and found it was pretty easy to get working, but I was left a little puzzled about what the best practices would be for dealing with firewall rules and possibly NAT (if I wanted a semi-transparent bridging firewall setup, ie, bridge WAN-OPT1, NAT LAN->WAN at the same time).

    I initially setup the bridging between WAN<->OPT1 and found that and a floating firewall rule allowing all between OPT1 and WAN was enough to make my test client get to the internet.

    Going back later, I noticed I could add a new interface, BRIDGE1.  Is creating and/or using this interface necessary, or merely a convenience for some firewall rules you may want deployed to bridged traffic regardless of the direction of the traffic?  I seem to remember just paying close attention to IN/OUT or interface when I used a bridged firewall setup with FreeBSD (it's been a few years!).

    What about making the setup semi-transparent (opaque?)?  I assigned a static and a dynamic (from the cable modem) address to the WAN interface and I didn't notice any issues with the test system on the bridge interface, but I didn't have the resources to add another client to the LAN side and see if the bridging setup added any NAT issues.

    I love that this works so well, I'm already planning on merging a couple of firewall setups and deploying a couple more bridge-only setups elsewhere where traffic filtering is difficult.



  • How did you properly enable bridging. I want to setup a pfsense box as a filtering bridge using only 2 NIC (WAN – LAN) to filter traffic passing through a wireless link we have, without messing with NAT. Can you post some info about it,

    Thank you



  • @josueharos:

    How did you properly enable bridging. I want to setup a pfsense box as a filtering bridge using only 2 NIC (WAN – LAN) to filter traffic passing through a wireless link we have, without messing with NAT. Can you post some info about it,

    Thank you

    You should consider third interface for management


Locked