Transparent Bridge Firewall - All Public IP Addresses
-
your bridge is fine.
again:
@cmb:what IP, mask, gateway, DNS config do you have on your host behind the bridge?
-
Exactly as displayed on plus.net (the providers) page. I'll PM you with them.
-
Really appreciate all your help on this, I am doing this work voluntarily for a local charity.
-
I think I have figured out the problem, can't test till tomorrow but maybe you can confirm. I am testing with a Windows machine, instead of the WAN interface on the Draytek. Crossover cable? I should be using a crossover cable?!
-
If you're plugging a PC/server straight into the firewall, and neither of the involved NICs are auto MDI/MDI-X, then yes you need a crossover.
-
Crossover cable in place….. and... nothing.. nowt.. nada. Any more ideas anyone? Does this information help?
ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0ifconfig rl2
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: activeifconfig em0
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast> -
The flags for em0 DO NOT include UP and RUNNING. Hence the hardware thinks em0 is disconnected. But it reports status active!
Why doesn't the bridge interface report its members? (It doesn't have any? You chopped it off?)
Why doesn't the em0 interface report inet6 and nd6? (You edited it out? The data comes from an older FreeBSD system, not from the same system reporting rl2? You messed up a copy and paste?)
-
No thats not edited, it didn't look right to me either. Here is the ifconfig complete, WAN is rl2, DIGI (the interface I am trying to bridge) is em0.
ifconfig
rl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d4:0c:6d
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::ca3a:35ff:fed4:c6d%rl0 prefixlen 64 scopeid 0x1
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:34
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=108943 <up,broadcast,running,promisc,simplex,multicast,ipfw_filter>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 90:e2:ba:0d:59:35
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::92e2:baff:fe0d:5935%em1 prefixlen 64 scopeid 0x3
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether c8:3a:35:d8:7a:22
inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::ca3a:35ff:fed8:7a22%rl1 prefixlen 64 scopeid 0x4
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=8 <vlan_mtu>ether 00:0f:ea:39:4f:a0
inet6 fe80::20f:eaff:fe39:4fa0%rl2 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33664
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
nd6 options=3 <performnud,accept_rtadv>pppoe0: flags=89d1 <up,pointopoint,running,noarp,promisc,simplex,multicast>metric 0 mtu 1492
inet6 fe80::ca3a:35ff:fed4:c6d%pppoe0 prefixlen 64 scopeid 0xb
inet IPADDRESSEDITED –> 195.166.128.47 netmask 0xffffffff
nd6 options=3 <performnud,accept_rtadv>bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 6a:7b:c0:c5:bc:37
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
ipfw0: flags=8801 <up,simplex,multicast>metric 0 mtu 65536</up,simplex,multicast></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></up,pointopoint,running,noarp,promisc,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast,ipfw_filter></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></broadcast,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast> -
The bridge should have members, for example (extract from ifconfig output on my system):
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 ether 00:19:e0:68:31:4b inet6 fe80::219:e0ff:fe68:314b%ath0_wlan0 prefixlen 64 scopeid 0xb nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running ssid Rivendell channel 1 (2412 MHz 11g) bssid 00:19:e0:68:31:4b regdomain ROW country AU indoor ecm authmode WPA2/802.11i privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 scanvalid 60 protmode OFF burst -apbridge dtimperiod 1 -dfs bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 9a:ae:96:8a:52:25 inet 192.168.211.173 netmask 0xffffff80 broadcast 192.168.211.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000 member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370 $</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></hostap></performnud,accept_rtadv></up,broadcast,running,promisc,simplex,multicast> ```Also, I expect the em0 interface should have inet6 and nd6 options. Is pfSense interface DIGI enabled?
-
Yes all are enabled, although IP6 is not. Screen Shots attached.
So in short this part is missing from my config (from your paste) (obviously with my interfaces)
member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 200000
member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 370370![Picture 1.png](/public/imported_attachments/1/Picture 1.png)
![Picture 1.png_thumb](/public/imported_attachments/1/Picture 1.png_thumb)
![Picture 2.png](/public/imported_attachments/1/Picture 2.png)
![Picture 2.png_thumb](/public/imported_attachments/1/Picture 2.png_thumb)
![Picture 3.png](/public/imported_attachments/1/Picture 3.png)
![Picture 3.png_thumb](/public/imported_attachments/1/Picture 3.png_thumb)
![Picture 4.png](/public/imported_attachments/1/Picture 4.png)
![Picture 4.png_thumb](/public/imported_attachments/1/Picture 4.png_thumb)
![Picture 5.png](/public/imported_attachments/1/Picture 5.png)
![Picture 5.png_thumb](/public/imported_attachments/1/Picture 5.png_thumb)</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp> -
OK so it looks like there is a bug in the GUI, because it doesnt work…...
I did this from the command line (Source: http://www.freebsd.org/doc/handbook/network-bridging.html) and the Bridge is UP UP UP!!!!!
ifconfig bridge0 addm rl2 addm em0 up
ifconfig em0 up
ifconfig rl2 up
ifconfig bridge0
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether aa:fc:23:10:64:e9
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 20000
member: rl2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 200000Thank you everyone for your help, nice to complete is post with a good answer…... although I must appologise for hijacking the orginal post.</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>
-
OK so it looks like there is a bug in the GUI, because it doesnt work…...
No, the GUI works fine, but it can only do what you tell it to. Your manual setup is completely different from what you configured in the GUI from the screenshots, you don't even have em0 assigned and it's not part of the bridge you setup. Which is also why your interface wasn't up until you manually upped it. It'll work fine if you configure it in the GUI so it does the back end the way you manually did it.
-
The GUI shows you attempting to bridge the PPP interface which is probably not a bridgeable interface. You also specified BRIDGE0 has a member DIGI which is the name assigned to BRIDGE0. A bridge probably can't have itself as a member :-)
I suspect you need to click on the "+" button on the Interfaces -> (assign) page twice to get two new pfSense interface names allocated, assign rl2 and em0 to those interface names and then make those new interfaces members of bridge0.
-
Would you care to expand on the procedure, your response is contridicatary to that of your colleague in the first part of the thread. I have this morning had to add another interface for the next part of the project and the bridge has gone. So I need to put it back, and it would be nice to put it back using the GUI.
Many many thanks for your help.
-
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
But agreed, you need to add an extra interface and assign em0 to it. Then replace DIGI in the bridge configuration with the new interface.
Steve
-
Now I'm getting extremely confused. Lets go back to basics here (Interfaces got changed due to a card addition):
I have a WAN interface (rl1) connected to our service provider.
I have another interface 'DIGI' (em0) connected to a DrayTek router which I want to expose directly to the internet allowing the Draytek to be allocated the public IP address.As I understand it I need to bridge the WAN (rl1) interface with the DIGI (em0) interface to make the Draktek accessible from the Internet via the assigned public IP.
We have established that I am using the correct Public IP address, subnet, gateway and DNS Servers.
Is this all correct?
What is the proceedure? -
OK. Assuming all previous screenshots etc are now redundant.
Create a bridge, bridge0, and add to it WAN(PPPoe0) and DIGI(em0).
Add a new interface and assign bridge0 to it.
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
However in this configuration the PPPoE interface will always be given a public IP by Plusnet.
Do you have multiple public IPs?Steve
-
Create a bridge, bridge0, and add to it WAN(PPPoe0) and DIGI(em0).
Add a new interface and assign bridge0 to it.OK Done that, and it doesnt work, so either I am real thick, the instructions are incorrect, or the GUI is not doing what I ask of it.
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
Is my approach completely wrong? Is there a better one?
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
OK this looks to me like it is going to be a problem? So I cannot pass traffic out from the Draytek, but I can receive?
However in this configuration the PPPoE interface will always be given a public IP by Plusnet.
Do you have multiple public IPs?I have a block of IP addresses yes, so thats not a problem.
Again if I add the bridge via the command line it springs straight up and traffic passes to my test box. As soon as I reboot the system though, the config is lost. Not sure how to commit it.
With my requirements all laid out, comments responded to what should I be doing cos my head is going to explode, after I have finished pulling my hair out and crying.
Thank you all so much…
-
I did this from the command line (Source: http://www.freebsd.org/doc/handbook/network-bridging.html) and the Bridge is UP UP UP!!!!!
I don't want to read too much into this statement - does it mean the configuration after executing the listed commands does everything you want it to do and nothing you don't want it to do?
Would you care to expand on the procedure, your response is contridicatary to that of your colleague in the first part of the thread.
I'll expand on the procedure if you give specific identification (author and reply number) of the "colleague" and response you mean.
Many many thanks for your help.
You're welcome.
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
Good point! I have no idea how bridging ppp and a lan interface will work. For example, what would ARP mean on a ppp interface?
As Wallabybob pointed out this is unusual, I'm not sure if a PPPoE interface can be part of a bridge but that' what I'd try first.
On my system:
$ ifconfig bridge1 create $ ifconfig bridge1 addm pppoe0 ifconfig: BRDGADD pppoe0: Invalid argument $ ifconfig bridge1 bridge1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 ether de:86:fd:20:c4:7b id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 $</broadcast,simplex,multicast>
Bridging PPP and lan is not allowed.
-
If the WAN NIC is added and bridged will traffic on it be routed via the PPPoE connection? I think perhaps not.
OK this looks to me like it is going to be a problem? So I cannot pass traffic out from the Draytek, but I can receive?
Sorry that's my fault just confusing things. :-[
Wallabybob suggested that it may not be possible to bridge the PPPoE connection and that you should use the WAN NIC instead. I was querying whether or not that would work. I still think it wouldn't.Perhaps you should re-describe what you are trying to achieve as an end result overall. Reading back through the thread why do you need the Draytek router at all?
Steve