Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPs matter on transparent bridge?

    Firewalling
    4
    12
    3918
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      motodude last edited by

      When I configured an OpenBSD transparently bridged packet filtering firewall a few years ago, as I recall there was no IP address assigned to the WAN or LAN interfaces.  I liked this because presumably if the firewall has no IP it must be nearly impossible for anyone to hack into it.

      pfSense seems to require IPs to be specified.   I'm trying to bridge WAN>OPT.  LAN will be used for the webConfigurator and only to admin pfSense.

      That being the case….if I give WAN an IP of 10.1.1.1 and OPT an IP of 10.1.1.2 and I have no network setup for 10.1.1.x, that should not be a problem, correct?  In other words, the IPs are mostly bogus and not really used, correct?

      What about a crossover cable?  I have a cable modem that has 5 or 6 ports.  I have 1 cat5 plugged into the cable modem and the other end of the cat5 went into my WAN connection on the pfSense ALIX server.  Then I have a cat 5 from OPT on the ALIX server going into a switch that my other servers are connected to.  I should not need a crossover anywhere, correct?  I believe the nics on the ALIX are not gigabit nics.

      1 Reply Last reply Reply Quote 0
      • chpalmer
        chpalmer last edited by

        Ill see if I can locate the documentation or a post or two but…

        Basically you assign your interfaces to your desired NICs...

        You assign your intended interfaces to a bridge (Interfaces- Assign- Bridges...)

        You enable your bridged interfaces and set them as "none".

        You enable your bridged interface and give it the credentials...

        Ive set up a "Maint" interface and routed it to the "bridge" on my test box...   all works as it should.


        Triggering snowflakes one by one..

        1 Reply Last reply Reply Quote 0
        • chpalmer
          chpalmer last edited by

          This post helped me the most…  http://forum.pfsense.org/index.php/topic,38042.0.html

          Triggering snowflakes one by one..

          1 Reply Last reply Reply Quote 0
          • chpalmer
            chpalmer last edited by

            If your port lights "light up" when you plug your ethernet in, you should be golden.

            Sounds like your cablemodem is a router also.

            Triggering snowflakes one by one..

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              You need an IP somewhere to manage the system, so it can sync its time, maybe syslog to another system, etc. Whether it should be on a dedicated NIC, the bridge interface itself, or one of its members, depends on what you're doing. Probably a dedicated NIC from the sounds of it, and just set all the bridged interfaces to type "none" so they have no IPs.

              1 Reply Last reply Reply Quote 0
              • M
                motodude last edited by

                Thanks to everyone who offered suggestions.  I still don't have it working but I think I'm really close.

                I've done a lot of reading/searching on the topic and I believe this discussion was the only mention of needing to assign the bridge as an interface.  All other documentation simply said to bridge the two existing interfaces.  So the screen shots and the tip about adding the bridge as a defined interface was most helpful!

                Here is what I have for "interfaces > assign" :

                OPT          type=none (no IP)
                WAN          type=none (no IP)
                BRIDGE      type=none (no IP)
                LAN_ADMIN type=static.  IP 192.168.0.100

                OPT and WAN are bridged.

                LAN_ADMIN is for access the pfSense webGUI and its working fine.

                I have no gateway defined.

                I also have rules set to pass everything on WAN and OPT.  I'll set restrictive rules after I get this working.

                In "firewall > NAT > Outbound" I selected the  Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT) radio button.  I then created a rule with "Do not NAT" selected.  The rule is assigned to the WAN interface:

                WAN    any  *  *  *  *  *  NO Disable NAT

                I don't know if the rule was necessary but it appeared it might be the only way to shut NAT off.

                This is similar to how I've configured transparently bridged OpenBSD firewalls in the past.  The two interfaces and the bridge didn't need IPs.

                I'm a little confused on the, "You enable your bridged interface and give it the credentials".

                In openBSD, this is essentially what I've done before:

                echo up > /etc/hostname.xl0
                echo up > /etc/hostname.xl1
                echo add xl0 add xl1 up > /etc/bridgename.bridge0
                Enable port forwarding: net.inet.ip.forwarding=1″

                Enabling port forwarding is supposed to pass traffic from one interface to the other.  If I go into "firewall > NAT > Port Forward" it seems that it wants you to create rule with specific destination IPs.  Haven't quite figured out here what my rule should look like to forward everything.

                1 Reply Last reply Reply Quote 0
                • chpalmer
                  chpalmer last edited by

                  You enable your bridged interface and give it the credentials

                  Sorry I was punchy last night…  Lack of sleep thing,

                  You give it your IP address, subnet, gateway ect...    Only so the firewall can do what it needs as CMB posted.

                  Ill post some screenshots of my config later...

                  Triggering snowflakes one by one..

                  1 Reply Last reply Reply Quote 0
                  • M
                    motodude last edited by

                    Been there, done that (the punchy thing).  :)

                    Thanks,

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb last edited by

                      There's no need to assign the bridge itself when you aren't giving it an IP. If you're bridging multiple internal NICs, then you usually want to assign the bridge and put your IP there, in this case there isn't any reason to do so (though not really any reason not to either, assigning it's not doing anything).

                      1 Reply Last reply Reply Quote 0
                      • M
                        motodude last edited by

                        @cmb:

                        There's no need to assign the bridge itself when you aren't giving it an IP. If you're bridging multiple internal NICs, then you usually want to assign the bridge and put your IP there, in this case there isn't any reason to do so (though not really any reason not to either, assigning it's not doing anything).

                        Okay, thanks.  Any idea why its not working?  This should be pretty simple to do but it doesn't pass any traffic across the bridge.

                        1 Reply Last reply Reply Quote 0
                        • M
                          motodude last edited by

                          Never mind.  I got it working.  :)

                          1 Reply Last reply Reply Quote 0
                          • C
                            cr_hyland last edited by

                            What did you do to get it working?

                            I have a transparent bridge with Ips on the interfaces and want to remove the ips for security. What trickery do I need to get it to work smoothly?

                            Thanks.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post