IPs matter on transparent bridge?



  • When I configured an OpenBSD transparently bridged packet filtering firewall a few years ago, as I recall there was no IP address assigned to the WAN or LAN interfaces.  I liked this because presumably if the firewall has no IP it must be nearly impossible for anyone to hack into it.

    pfSense seems to require IPs to be specified.   I'm trying to bridge WAN>OPT.  LAN will be used for the webConfigurator and only to admin pfSense.

    That being the case….if I give WAN an IP of 10.1.1.1 and OPT an IP of 10.1.1.2 and I have no network setup for 10.1.1.x, that should not be a problem, correct?  In other words, the IPs are mostly bogus and not really used, correct?

    What about a crossover cable?  I have a cable modem that has 5 or 6 ports.  I have 1 cat5 plugged into the cable modem and the other end of the cat5 went into my WAN connection on the pfSense ALIX server.  Then I have a cat 5 from OPT on the ALIX server going into a switch that my other servers are connected to.  I should not need a crossover anywhere, correct?  I believe the nics on the ALIX are not gigabit nics.



  • Ill see if I can locate the documentation or a post or two but…

    Basically you assign your interfaces to your desired NICs...

    You assign your intended interfaces to a bridge (Interfaces- Assign- Bridges...)

    You enable your bridged interfaces and set them as "none".

    You enable your bridged interface and give it the credentials...

    Ive set up a "Maint" interface and routed it to the "bridge" on my test box...   all works as it should.




  • This post helped me the most…  http://forum.pfsense.org/index.php/topic,38042.0.html



  • If your port lights "light up" when you plug your ethernet in, you should be golden.

    Sounds like your cablemodem is a router also.



  • You need an IP somewhere to manage the system, so it can sync its time, maybe syslog to another system, etc. Whether it should be on a dedicated NIC, the bridge interface itself, or one of its members, depends on what you're doing. Probably a dedicated NIC from the sounds of it, and just set all the bridged interfaces to type "none" so they have no IPs.



  • Thanks to everyone who offered suggestions.  I still don't have it working but I think I'm really close.

    I've done a lot of reading/searching on the topic and I believe this discussion was the only mention of needing to assign the bridge as an interface.  All other documentation simply said to bridge the two existing interfaces.  So the screen shots and the tip about adding the bridge as a defined interface was most helpful!

    Here is what I have for "interfaces > assign" :

    OPT          type=none (no IP)
    WAN          type=none (no IP)
    BRIDGE      type=none (no IP)
    LAN_ADMIN type=static.  IP 192.168.0.100

    OPT and WAN are bridged.

    LAN_ADMIN is for access the pfSense webGUI and its working fine.

    I have no gateway defined.

    I also have rules set to pass everything on WAN and OPT.  I'll set restrictive rules after I get this working.

    In "firewall > NAT > Outbound" I selected the  Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT) radio button.  I then created a rule with "Do not NAT" selected.  The rule is assigned to the WAN interface:

    WAN    any  *  *  *  *  *  NO Disable NAT

    I don't know if the rule was necessary but it appeared it might be the only way to shut NAT off.

    This is similar to how I've configured transparently bridged OpenBSD firewalls in the past.  The two interfaces and the bridge didn't need IPs.

    I'm a little confused on the, "You enable your bridged interface and give it the credentials".

    In openBSD, this is essentially what I've done before:

    echo up > /etc/hostname.xl0
    echo up > /etc/hostname.xl1
    echo add xl0 add xl1 up > /etc/bridgename.bridge0
    Enable port forwarding: net.inet.ip.forwarding=1″

    Enabling port forwarding is supposed to pass traffic from one interface to the other.  If I go into "firewall > NAT > Port Forward" it seems that it wants you to create rule with specific destination IPs.  Haven't quite figured out here what my rule should look like to forward everything.



  • You enable your bridged interface and give it the credentials

    Sorry I was punchy last night…  Lack of sleep thing,

    You give it your IP address, subnet, gateway ect...    Only so the firewall can do what it needs as CMB posted.

    Ill post some screenshots of my config later...



  • Been there, done that (the punchy thing).  :)

    Thanks,



  • There's no need to assign the bridge itself when you aren't giving it an IP. If you're bridging multiple internal NICs, then you usually want to assign the bridge and put your IP there, in this case there isn't any reason to do so (though not really any reason not to either, assigning it's not doing anything).



  • @cmb:

    There's no need to assign the bridge itself when you aren't giving it an IP. If you're bridging multiple internal NICs, then you usually want to assign the bridge and put your IP there, in this case there isn't any reason to do so (though not really any reason not to either, assigning it's not doing anything).

    Okay, thanks.  Any idea why its not working?  This should be pretty simple to do but it doesn't pass any traffic across the bridge.



  • Never mind.  I got it working.  :)



  • What did you do to get it working?

    I have a transparent bridge with Ips on the interfaces and want to remove the ips for security. What trickery do I need to get it to work smoothly?

    Thanks.


Locked