OPT1 as Management/Internet interface, LAN/WAN as transparent packet filter

  • I'm new to pfSense, and seem to be having issues setting up my box with 3 nics to act as a transparent firewall/packetfilter and using the 3rd nic to allow it access to the internet, and allow me to manage it via https…

    My current configuration is.

    General Setup

    DNS servers

    Advanced Settings:

    Enable filtering bridge

    Disable NAT reflections


    IP Address
    Disable Userland FTP Proxy application
    Block bogon networks


    Bridge with WAN
    IP Adress
    Disable Userland FTP Proxy application

    OPT1 Management

    IP Address
    Disable Userland FTP Proxy application

    Firewall rules


    *  LAN net  *  *  *  *


    Block all (for now, just working on getting the rest working first lol)


    *  *  *  *  *  *

    I'm logging all traffic on the OPT1 rule, and if I can ping the management interface from the network it's plugged into ( network) and I wont get a reply, yet the firewall logs show passing ICMP traffic to that interface.

    if I disable all firewall rules under advanced settings, and ping, I get a reply trying to ping the OPT1 interface on the network it's connected to…

    Also, I cannot access the internet (i.e. pull package updates) with the firewall turned on, again my goal is for the OPT1 interface be it's path to the internet and be the gateway (another physical box)

    Heres a lay out of what I'm doing
                                                                        --OPT1 pfSense( gui / inet -----------------
                                                                        |                                                                                            |
    Cable modem ---- WAN pfSense( pfSense( ISA( network

    I would also like to utilize snort to watch traffic coming in, I'm assuming I'd drop it on the WAN adapter?

    Any help is greatly appreciated.

    Thank you.

  • I don't quite get what you say Palmore,

    The WAN gateway is not in the WAN subnet

    Your diagram (if I get it right) shows ISA plugged into LAN, but it has an address in the OPT1 subnet.

    I have my setup so that I can remote access 1 box on my internal network (with very secure access) and I run a remote console on that which can then see other things on my internal network, including access to pfsense.

    You also seem to to have pfsense provding a direct route to your internal network, and also another route that goes pfsense - ISA - internal network.  This is going to cause some confusion I think  ::)

    One of the reasons I use pfSense is that I can run it in 64Mb with small CPU, whereas for ISA I need 512Mb and a big CPU, and a brain the size of a planet.

  • Pootle,

    I'm just trying to have a management port on pfSense, the way I had pfSense configured before was just 2 NICs, LAN/WAn bridged (Following the same doc Hoba pasted).
    It worked, but to manage it I had to configure an additional adapter on ISA using the subnet so I could manage pfSense on my internal network, but pfSense still had no route to the internet…

    I tried using my ISP's gateway, but the internet did not work, unsure if it was a DNS issue at first, I tried using both DNS servers from my ISP, still no name resolution, then I tried my internal DNS servers, and but since pfSense had to come in through ISA and back out to pfSense... it never worked, even with some dorking around on ISA, but it would always pick it up as a hack attempted cause the traffic was "internal" traffic coming in through the WAN interface on ISA.

    Basically I'm looking for a way to just bridge 2 ports so I can have a basic firewall with snort, then use the third nic for remote management of pfsense, and it's path to the internet for rules updates etc.

    Keep in mind ISA throws in a wrench, and is the main reason I'm looking to have a management nic on pfSense. Is this just a bad idea? I don't plan on shaking ISA anytime soon, I use it extensively on my network for routing and hosting.

    But again, I'm still a newbie and still learning.

    Thank you.

  • I have a similiar setup with an ISA though I don't use a bridge. The pfSense has one nic going to the ISA (OPT1) and the LAN going directly to the real LAN behind the ISA. I'm using pfSense for VPN-access there. Not sure why the bridging config doesn't work for you though.

  • Yeah, it's weird, if I disable the firewall, I can ping the OPT1 interface, and access the web gui like I should, if I enable the firewall, I can't access anything via OPT1.  Yet I have * * * * * *  firewall rule on OPT1. I turn logging on and I can see the requests coming in and passing, IE… ICMP pings, and http connection attempts, but I never get a ping response etc...

  • Since I want the NIC I use for management, to also be the internet access interface…

    should I setup WAN as and plug that into my internal network... then bridge LAN/OPT1 and convert that into my firewall/PF? would this make any difference? Help out my situation, or cause more problems?

    I guess I'm confused as it would seem this would be pretty straight forward.. Bridge 2 NICs, enable filtering bridge, then add a 3rd nic, give it allow rules and thats it... but for some reason, that just doesn't work.

  • Well…

    I've managed to get it working. Here's how.

    1. rebuilt from scratch.
    2. upgraded to 1.0.1-SNAPSHOT-02-27-2007
    3. configured WAN-OPT1 Bridge
    4. enabled filtering bridge
    5. setup up pass rule for OPT1

    Bypass firewall rules for traffic on the same interface'

    I have my cable modem running to a hub, then it splits to pfSense, WiFi router in my "dmz" and a 3rd box (I get 3 external IPs, may as well use them lol… may end up routing them all through pfSense some day soon though)

    Once I enabled Static route filtering, performance increased drastically, and my box is functioning as wanted. Wouldn't mind maken a Tut if you guys wanted

  • Interesting that static route filtering option plays in the mix here. Are you still able to block traffic on the bridge with static route filtering enabled?

  • You know, I have yet to try, I was just happy it's working =) I did notice that traffic is being blocked in the firewall logs, so I would assume yes, but I'll have to hop on my WiFi network and try a few attempts myself.

    For shits and giggles, I'll disable the static route filtering and see if I loose performance, like I said, I did it because then WAN nic is plugged into a hub that shares traffic with my WiFi router, and a 3rd external facing nic, being the noob I am, I figured "hmmm could it be trying to monitor ALL traffic going through that hub, that doesn't really pass through the bridge"

    Let me do some tinkering today, and I'll let you know.

  • Well, Static Route Filtering is off now, and it's running smooth, she is now functioning as I would like.

    Though I'm not sure snort is loading or running correctly, is there any other way other then running top from a shell?

    I look at the services listing under the webgui and it says it's running, I can see in the logs where it starts…

    Mar 6 12:49:37 SnortStartup[726]: Ram free BEFORE starting Snort: 574M – Ram free AFTER starting Snort: 586M -- Mode lowmem -- Snort memory usage:

    yet I have ac-sparsebands mode enabled lol.. I've removed and reinstalled a few times during my woes so I dunno, maybe now that I have a working config, I'll do a clean build and go from there.

    It is nice seeing alot less traffic on my ISA box, now everything gets stopped at pfsense, and the rest is left for ISA to handle.

  • After a quick rebuild I've got a clean copy of my config to share if you would like to try it out in your network.

    Here's the setup

    WAN <-bridge-> OPT1
    LAN -> Internal/Management

    WAN IP / 24

    OPT1 Bridge with WAN

    LAN IP / 24

    Firewall rules

    *  LAN net  *  *  *  *

    TCP  *  *  *  80 (HTTP)  *  HTTP  ( and others…no need to list them all)

    BLOCK -  *  LAN net  *  *  *  *
    PASS  -  *  *  *  *  *  *  *

    Not sure why it didn't work with WAN/LAN bridge and OPT1 for management…

    Also, I still seem to be having issues with Snort on 1.0.1-SNAPSHOT-02-27-2007

    Anyway, here is the config, feel free to try it, change the IP settings to match your network and let me know it's short comings lol


    The login and password are the defaults admin:pfsense