Transparent / Bridge mode with filtering

ttanemori3

Hello. I searched the forum to understand how to enable transparent firewall. I have a couple of servers which need global static IP.

I gathered the information, and is it all OK? This is to explain to make a bridge between WAN and LAN.

1. Fresh Install
    WAN:  Add your IP address, subnet and gateway. (To access WebGUI)
    LAN:  Set IP Address to "None" (You're only using this as a bridge member interface)
2. Interface –> Assign --> Bridges
  - Create a new bridge
      BRIDGE0 (LAN,WAN)
3. Interface --> Assign
    - Create a new interface and assign the bridge
    New Interface --> Bridge (BRIDGE0)
4. Enable and set IP to Bridge New interface
5. Create a rule on BRIDGE and LAN [ UDP 0.0.0.0 68 255.255.255.255 67 ]
6. Create a rule on LAN [Any LAN Subnet *  * *]
7. Set IP Address of WAN to "NONE"
8. Set under System->Advanced->Tunables
    net.link.bridge.pfil_member = 0
    net.link.bridge.pfil_bridge = 1

Basically, WAN and LAN should not have IP address, but on Bridge interface, correct?

Honestly speaking, I do not understand step #5 and #6. Are they necessary like that?

My server has more LAN interfaces and one DMZ. If I perform above, will it affect any existing configuration?

I think documentation of transparent firewall is important. For example, I use WHM/cPanel as a web server, which does not work under NAT.

Can anybody verify my information above?

Thank you very much.

marcelloc

Option 5 is for dhcp client requests.

I saw some network issues when using a firewall with transparent and non transparent interfaces.

You must test to see if it works on your setup.

Some times is better having two pfsense boxes for better setup.

ttanemori3

I see. Thank you very much!