Transparent Bridge Setup for DMZ/Network Setup?



  • I have a /27 subnet from my ISP and am running 2 pfsense 2.0 boxes within this subnet. Each box has a DMZ setup in bridge mode for transparent filtering and openVPN setup allowing access to a management network for hosts in the DMZ. The problem I am running into is that some traffic seems to get tagged on the wrong interface sometimes. The gateways on the DMZ hosts are set to the WAN addresses of their respective pfsense boxes so that VPN traffic gets routed back to the client. In the past I have just used the gateway upstream of the pfsense box but cannot in this case since VPN traffic won't get routed back.

    Inbound traffic works fine.

    Outbound traffic after some period of time starts to get blocked by the firewall. The firewall is blocking packets because they are coming in on the WAN interface even though the source is within the DMZ zone. If I restart the interface on the DMZ host outbound traffic works for a limited time and the firewall shows that the same traffic is now on the DMZ interface.

    Current Rules

    PF1
    WAN-
    206.174.19.3 - 80,443
    206.174.19.4 - 80,443
    206.174.19.5 - 80,443

    DMZ-
    Any - Any

    OpenVPN-
    Any - Any

    PF2
    WAN-
    206.174.19.11 - 80,443
    206.174.19.12 - 80,443
    206.174.19.13 - 80,443

    DMZ-
    Any - Any

    OpenVPN-
    Any - Any

    Open to suggestions / better ideas. I would like to stay with transparent filtering though as it is beneficial to me to have public IPs on DMZ hosts.

    Thank you



  • @mrbnet:

    The problem I am running into is that some traffic seems to get tagged on the wrong interface sometimes.

    This is unlikely. Please provide some firewall log entries.

    Is there any possibility of (for example) host 6 attempting to access host1?


  • Rebel Alliance Developer Netgate

    Multi-Homing every server in that way is likely to be your problem.

    Most things will just respond by whatever is closest. So if a machine talks from a public IP to 192.168.10.x, it will reply from 192.168.10.x and cause asymmetric routing, and probably not pass back properly through the firewall.

    There are likely to be more problems than just that, but it isn't something that can be regulated at the firewall if the machines behind have IPs on every subnet.

    Barring something on the host itself using something like pf's reply-to mechanism, it will always take the most direct/shortest path back to the source.



  • Are there any suggestions for making this setup work properly? Would setting a rule to disable any internet based traffic through the private network help? I would still like to maintain a private network management and traffic amongst the DMZ boxes. I would also like the boxes to be assigned Internet IPs.


  • Rebel Alliance Developer Netgate

    Have the clients and servers in separate subnets and not sharing addresses in each. Make them talk through the routers via a single gateway, and things will work properly.

    Multi-homing your clients and servers in several subnets that they all share is rarely a good idea.



  • I'm looking to set something up not far from what you've done mrbnet.

    But my internal network will have a gateway which is a pfsense box and using NAT rather than going back via a transparent box.

    GE



  • Right then, I've tried setting up the above and here but to no avail.

    Should I be rebooting at any time or anything? I'm obviously missing something somewhere.

    The setup works with NAT enabled but not without.

    GE



  • Hi GE,

    My original setup was in VMware. What gave me issues was splitting the subnet between 2 DMZs. Are you having issues getting your DMZ working?


Log in to reply