Best practices for bridging firewall?
-
I originally wanted to do a bridging firewall when I got started with pfsense-1.2.x, but could never make it work (wan<->opt1, with management on lan).
I did some testing yesterday with 2.0-rc3 and found it was pretty easy to get working, but I was left a little puzzled about what the best practices would be for dealing with firewall rules and possibly NAT (if I wanted a semi-transparent bridging firewall setup, ie, bridge WAN-OPT1, NAT LAN->WAN at the same time).
I initially setup the bridging between WAN<->OPT1 and found that and a floating firewall rule allowing all between OPT1 and WAN was enough to make my test client get to the internet.
Going back later, I noticed I could add a new interface, BRIDGE1. Is creating and/or using this interface necessary, or merely a convenience for some firewall rules you may want deployed to bridged traffic regardless of the direction of the traffic? I seem to remember just paying close attention to IN/OUT or interface when I used a bridged firewall setup with FreeBSD (it's been a few years!).
What about making the setup semi-transparent (opaque?)? I assigned a static and a dynamic (from the cable modem) address to the WAN interface and I didn't notice any issues with the test system on the bridge interface, but I didn't have the resources to add another client to the LAN side and see if the bridging setup added any NAT issues.
I love that this works so well, I'm already planning on merging a couple of firewall setups and deploying a couple more bridge-only setups elsewhere where traffic filtering is difficult.
-
How did you properly enable bridging. I want to setup a pfsense box as a filtering bridge using only 2 NIC (WAN – LAN) to filter traffic passing through a wireless link we have, without messing with NAT. Can you post some info about it,
Thank you
-
How did you properly enable bridging. I want to setup a pfsense box as a filtering bridge using only 2 NIC (WAN – LAN) to filter traffic passing through a wireless link we have, without messing with NAT. Can you post some info about it,
Thank you
You should consider third interface for management