Transparent Bridge Firewall - All Public IP Addresses
-
I have a LAN that runs on all Public IP Addresses. To enhance security and reduce exposure of the server hosts, I'd like to introduce a transparent bridge firewall using pfSense 2.x
The WAN and LAN interfaces of the pfSense will be given public IP addresses and the DHCP server will be disabled.
I'd like to allow DHCP to be forwaded through the firewall so that each host will be given a public IP addresses from the ISP DHCP server.I found old documentation from TrendCHiller on how to configure the the transparent firewall, but I have not found cohesive documentation on how to set it up with the latest version of pfSense. http://pfsense.trendchiller.com/transparent_firewall.pdf. I also saw a few of the other postings on this forum, however, I do not see any that are cohesive.
Please let me know how, or if there is any detailed documentation available.
-
I think I am trying to acheive a simular thing, only without the DHCP portion. I have a new interface installed in my PFSense box (DIGI), which has a DrayTek router attached via its WAN Interface. I need to allocate the Draytek the Public IP.
I am pretty sure that to do this I need to Bridge with the WAN and DIGI interfaces, but am unable to get it working and am a little unsure about the gateway addressing, I presume it would be the same as the WAN gateway address.
Any one help?
-
Pretty sure I have all the public addresses correct now, gateway aswell. But I still cannot get traffic to pass.
 -
you need firewall rules to pass traffic. On digi for outbound, WAN for inbound.
-
Yer, I created an all in all out rule for the purpose of testing. I do see this in the log, a clue?? php: : The command '/sbin/ifconfig bridge0 addm em0' returned exit code '1', the output was 'ifconfig: BRDGADD em0: File exists'
-
that isn't relevant, just that it tried to add the NIC to the bridge again and it was already there, doesn't matter.
what IP, mask, gateway, DNS config do you have on your host behind the bridge?
-
I have stripped it back down to the interface (attached).
So starting again, because I think it would be a better approach, faster and more helpful to other readers in the future.
- Goto Interfaces, Assign and Select Bridges.
- Click the Plus Sign to add a New Bridge.
- Use the Control Key to Select Two Interfaces, WAN and in MyCase DIGI and Click Save.
- Goto Interfaces and Select Assign. From the Pull Down Select Bridge on your Interface (again in my case DIGI) and Save.
That should be it right? Effectively passing all traffic striaght through to the device attached?
 -
your bridge is fine.
again:
@cmb:what IP, mask, gateway, DNS config do you have on your host behind the bridge?
-
Exactly as displayed on plus.net (the providers) page. I'll PM you with them.
-
Really appreciate all your help on this, I am doing this work voluntarily for a local charity.
-
I think I have figured out the problem, can't test till tomorrow but maybe you can confirm. I am testing with a Windows machine, instead of the WAN interface on the Draytek. Crossover cable? I should be using a crossover cable?!
-
If you're plugging a PC/server straight into the firewall, and neither of the involved NICs are auto MDI/MDI-X, then yes you need a crossover.
-
Crossover cable in place….. and... nothing.. nowt.. nada. Any more ideas anyone? Does this information help?
ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0ifconfig rl2
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: activeifconfig em0
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast> -
The flags for em0 DO NOT include UP and RUNNING. Hence the hardware thinks em0 is disconnected. But it reports status active!
Why doesn't the bridge interface report its members? (It doesn't have any? You chopped it off?)
Why doesn't the em0 interface report inet6 and nd6? (You edited it out? The data comes from an older FreeBSD system, not from the same system reporting rl2? You messed up a copy and paste?)
-
No thats not edited, it didn't look right to me either. Here is the ifconfig complete, WAN is rl2, DIGI (the interface I am trying to bridge) is em0.
ifconfig
rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d4:0c:6d
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::ca3a:35ff:fed4:c6d%rl0 prefixlen 64 scopeid 0x1
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=108943 <up,broadcast,running,promisc,simplex,multicast,ipfw_filter>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:35
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::92e2:baff:fe0d:5935%em1 prefixlen 64 scopeid 0x3
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d8:7a:22
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::ca3a:35ff:fed8:7a22%rl1 prefixlen 64 scopeid 0x4
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
nd6 options=3 <performnud,accept_rtadv>pppoe0: flags=89d1 <up,pointopoint,running,noarp,promisc,simplex,multicast>metric 0 mtu 1492
inet6 fe80::ca3a:35ff:fed4:c6d%pppoe0 prefixlen 64 scopeid 0xb
inet IPADDRESSEDITED –> 195.166.128.47 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536</up,simplex,multicast></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,promisc,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast,ipfw_filter></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast> -
The bridge should have members, for example (extract from ifconfig output on my system):
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 ether 00:19:e0:68:31:4b inet6 fe80::219:e0ff:fe68:314b%ath0_wlan0 prefixlen 64 scopeid 0xb nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running ssid Rivendell channel 1 (2412 MHz 11g) bssid 00:19:e0:68:31:4b regdomain ROW country AU indoor ecm authmode WPA2/802.11i privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 scanvalid 60 protmode OFF burst -apbridge dtimperiod 1 -dfs bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 9a:ae:96:8a:52:25 inet 192.168.211.173 netmask 0xffffff80 broadcast 192.168.211.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000 member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370 $</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast> ```Also, I expect the em0 interface should have inet6 and nd6 options. Is pfSense interface DIGI enabled? -
Yes all are enabled, although IP6 is not. Screen Shots attached.
So in short this part is missing from my config (from your paste) (obviously with my interfaces)
member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000
member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370
</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp> -
OK so it looks like there is a bug in the GUI, because it doesnt work…...
I did this from the command line (Source: http://www.freebsd.org/doc/handbook/network-bridging.html) and the Bridge is UP UP UP!!!!!
ifconfig bridge0 addm rl2 addm em0 up
ifconfig em0 up
ifconfig rl2 up
ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether aa:fc:23:10:64:e9
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 20000
member: rl2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 200000Thank you everyone for your help, nice to complete is post with a good answer…... although I must appologise for hijacking the orginal post.</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>
-
OK so it looks like there is a bug in the GUI, because it doesnt work…...
No, the GUI works fine, but it can only do what you tell it to. Your manual setup is completely different from what you configured in the GUI from the screenshots, you don't even have em0 assigned and it's not part of the bridge you setup. Which is also why your interface wasn't up until you manually upped it. It'll work fine if you configure it in the GUI so it does the back end the way you manually did it.
-
The GUI shows you attempting to bridge the PPP interface which is probably not a bridgeable interface. You also specified BRIDGE0 has a member DIGI which is the name assigned to BRIDGE0. A bridge probably can't have itself as a member :-)
I suspect you need to click on the "+" button on the Interfaces -> (assign) page twice to get two new pfSense interface names allocated, assign rl2 and em0 to those interface names and then make those new interfaces members of bridge0.
-
Would you care to expand on the procedure, your response is contridicatary to that of your colleague in the first part of the thread. I have this morning had to add another interface for the next part of the project and the bridge has gone. So I need to put it back, and it would be nice to put it back using the GUI.
Many many thanks for your help.
-
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
But agreed, you need to add an extra interface and assign em0 to it. Then replace DIGI in the bridge configuration with the new interface.
Steve
-
Now I'm getting extremely confused. Lets go back to basics here (Interfaces got changed due to a card addition):
I have a WAN interface (rl1) connected to our service provider.
I have another interface 'DIGI' (em0) connected to a DrayTek router which I want to expose directly to the internet allowing the Draytek to be allocated the public IP address.As I understand it I need to bridge the WAN (rl1) interface with the DIGI (em0) interface to make the Draktek accessible from the Internet via the assigned public IP.
We have established that I am using the correct Public IP address, subnet, gateway and DNS Servers.
Is this all correct?
What is the proceedure? -
OK. Assuming all previous screenshots etc are now redundant.
Create a bridge, bridge0, and add to it WAN(PPPoe0) and DIGI(em0).
Add a new interface and assign bridge0 to it.
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
However in this configuration the PPPoE interface will always be given a public IP by Plusnet.
Do you have multiple public IPs?Steve
-
Create a bridge, bridge0, and add to it WAN(PPPoe0) and DIGI(em0).
Add a new interface and assign bridge0 to it.OK Done that, and it doesnt work, so either I am real thick, the instructions are incorrect, or the GUI is not doing what I ask of it.
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
Is my approach completely wrong? Is there a better one?
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
OK this looks to me like it is going to be a problem? So I cannot pass traffic out from the Draytek, but I can receive?
However in this configuration the PPPoE interface will always be given a public IP by Plusnet.
Do you have multiple public IPs?I have a block of IP addresses yes, so thats not a problem.
Again if I add the bridge via the command line it springs straight up and traffic passes to my test box. As soon as I reboot the system though, the config is lost. Not sure how to commit it.
With my requirements all laid out, comments responded to what should I be doing cos my head is going to explode, after I have finished pulling my hair out and crying.
Thank you all so much…
-
I did this from the command line (Source: http://www.freebsd.org/doc/handbook/network-bridging.html) and the Bridge is UP UP UP!!!!!
I don't want to read too much into this statement - does it mean the configuration after executing the listed commands does everything you want it to do and nothing you don't want it to do?
Would you care to expand on the procedure, your response is contridicatary to that of your colleague in the first part of the thread.
I'll expand on the procedure if you give specific identification (author and reply number) of the "colleague" and response you mean.
Many many thanks for your help.
You're welcome.
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
Good point! I have no idea how bridging ppp and a lan interface will work. For example, what would ARP mean on a ppp interface?
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
On my system:
$ ifconfig bridge1 create $ ifconfig bridge1 addm pppoe0 ifconfig: BRDGADD pppoe0: Invalid argument $ ifconfig bridge1 bridge1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 ether de:86:fd:20:c4:7b id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 $</broadcast,simplex,multicast>Bridging PPP and lan is not allowed.
-
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
OK this looks to me like it is going to be a problem? So I cannot pass traffic out from the Draytek, but I can receive?
Sorry that's my fault just confusing things. :-[
Wallabybob suggested that it may not be possible to bridge the PPPoE connection and that you should use the WAN NIC instead. I was querying whether or not that would work. I still think it wouldn't.Perhaps you should re-describe what you are trying to achieve as an end result overall. Reading back through the thread why do you need the Draytek router at all?
Steve
-
So all said, how do I allocate the draytek a public IP and pass traffic to it directly without getting another adsl connection?
Lets get a high level understanding of what you are trying to do so we can determine the general solution. Then we can look at the specifics.
You said earlier you have a pool of public IP addresses. Would it be sufficient to pass some (or all) traffic to a specific IP address from the pool to the Draytek? Are all your public IPs on the same subnet or do you have a single public address allocated by PPP and a pool in another subnet?
Do you want ALL traffic from the internet to go to the Draytek? If so, why have the pfSense box?
-
We have a pool of ip addresses and all thankfully on the same subnet.
We have a pretty normal network setup, with a WAN adsl connection to plus.net, Wired LAN, Wireless network with Captive portal setup, DMZ with a web and mail server. Until now everything has been great, we NAT traffic if required for the standard mail and web stuff.
The new requirement is for a supplier that is housing equipment and setup in our building, their requirement is not negotiable. They have equipment tucked in behind a Daytek router and firewall. The WAN port needs exposure to the internet with a public IP address.
Hope that clarifys the requirement, and again thanks for your help guys.
-
For my research, and I don't know if I am 100% correct here. Bridging the WAN Interface with my DIGIEXPOSED interface is called a half-bridge, and committing it via the GUI does not work. (If I bridge two LAN interfaces it works fine).
It looks like the half-bridge will give incoming access not outgoing. If the supplier is using the connection to VPN in to their Draytek router will that give them going access through the VPN tunnel? Or am I being thick?
If I cannot commit a half-bridge through the GUI how do I commit the command line changes to the config so they become permanent?
ALSO I need access to the LAN side of the Draytek (10.x network) from a 192.x network, interfaces at in place. What would be the best approach for that?
Again, thank you all SO SO SO Much for your help.
Stu
-
Hmm, this is an interesting problem.
I can see why you might use the term 'half bridge', many router manufacturers seem to use it, but it has no meaning in FreeBSD (afaik). Though that is what you are trying to accomplish.
The bridge function is only restricted by the type of interface you are trying to bridge. If your WAN interface was DHCP this would be no problem. If you have got something working via the command line you should be able to replicate that in the GUI.If all that is required is to have access to the Draytek router from the internet then I would do as Wallabybob suggested; setup a virtual IP on WAN with one of your public IPs and 1:1 NAT that with the Draytek.
Do you have access to the Draytek configuration? What do you need to access on the 10.* network?
Steve
-
The pfSense has a discussion of using additional public IPs in section 6.7. One example (figure 6.21) shows use of a single block of IP addresses with the OPT1 interface bridged to WAN and a system connected to OPT1 having a public IP address.
That example assumes an internet connection from pfSense to the ISP router using IP over Ethernet. Your configuration uses IP over PPP over Ethernet and you can't bridge OPTx and WAN because WAN is a PPP interface.
Does your modem (upstream of pfSense) have the capability of handling the PPP so you can talk to it from pfSense using IP over Ethernet - that is, can you "offload" the PPP to the "modem"? If so, you can then bridge WAN and OPTx as discussed in the pfSense book.
Depending on the degree of NAT you are prepared to allow, you might be able to get by with the port forward configuration I hinted at earlier.
Maybe your modem will also accept IP over Ethernet and forward to the Internet inside the appropriate protocol wrapper. If so, you could possibly bridge your OPTx interface and the physical interface on which the WAN interface operates.
-
"offload" the PPP to the "modem", I think you are right, thats where the problem is. I will confirm on Sunday when I can get in and take everything offline.
Thanks for your help
-
1:1 NAT it is! I have it up on the https port and can see the Draytek.
One cable running from the PFSense DIGIEXP (exposed) interface into the WAN port of the DrayTek. Just have to add the other rules so they can VPN into it.
The next thing I need to do is allow access to the LAN side of the DrayTek (DIGIINT, 10.61.88.0/28) from the existing LAN (192.168.1.0/24).
-
Good job! :)
The next thing I need to do is allow access to the LAN side of the DrayTek (DIGIINT, 10.61.88.0/28) from the existing LAN (192.168.1.0/24).
I can't see how you are going to do this without adding some rules to the Draytek. Unless you bypass it completely with another connection - which could open up the possibility of horrible routing loops!
VPN tunnel perhaps?Unless the Draytek router already allows access to the servers behind it (seems likely ::)) in which case you just need to add a static route to pfSense so it knows where to send traffic for 10.61.88.0/28.
Steve
-
YEP I know, I know. The requirements of this company are stupid, really really stupid. Why they could not use our existing infrastructure is crazy. And to expect it from a small charity….. well...
Essentially the remote access via the 1:1 NAT on the first part of the project is to allow the company that installed to manage, they come into their DrayTek via the Public IP and VPN on the Draytek.
The second portion of the project access the to LAN portion on the Draytek is for usage of the product, they will not allow us to use the public side.. mental isn't it?
-
It would interesting to know what they expect the network to look like.
Presumably they have done this many times before and have found this be the best setup.I'd be interested in the opinion of someone with more experience on this.
Steve
