Pfsense 2.0 transparent firewall / firewall bridge
There are several guides for this online, but none seem to actually apply to release version 2.0.
To setup pfsense as a transparent firewall / bridge with 2 interfaces, follow these steps from a fresh install:
1. Disable NAT (but not the firewall). See http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F#Disable_NAT
2. VERY IMPORTANT: As mentioned at http://forum.pfsense.org/index.php?topic=30653.0, go to the 'System -> Advanced -> System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'
3. Bridge WAN and LAN by going to 'Interfaces → Assign → Bridges'
4. Create OPT iface and assign the bridge to it by 'Interfaces → Assign → Network Port'
5. Add an IP address to the bridge interface; this IP is the one you will use to access the firewall long term
6. Add allow all rules to ALL firewall interfaces to avoid being locked out. Ifaces OPT, WAN, and LAN
7. Set WAN and LAN interface type to 'none'. (Under 'Interfaces' in GUI)
8. Disable DHCP server
9. The firewall should now be able to be accessed from all ifaces via the IP on the bridge from step 5
10. Carefully modify your firewall rules to be more restrictive. DNS, DHCP, etc.
chpalmer last edited by
hvar last edited by
Thank you ever so much for this guide! I have been struggeling with this for some time, and this was of great help!!
I did not however get all the way home:
I made a bridge with WAN+LAN+DMZ interfaces following your guide. I also assigned one additional interface for MGMT outside the bridge with a static IP.
I have made rules on all interfaces with "allow everything", but still cannot access the IP-adress I assigned to the bridge (no ping, no http(s) nothing. Neither from LAN nor WAN nor DMZ. What could be wrong? (I can only access the unit via the MGMT interface on the IP assigned to it.)
I want to have pfsense run a DCHP server on LAN interface only. Can this be done?
thevoice last edited by
I don't know if I'm blind or what, but can't figure out where is the step 4 : Interfaces → Assign → Network Port.
I have pfSense 2.0.1-RELEASE and this is not inside any menus. Have you screenshots of your steps? Would be helpful!
Also, is you setup almost the same for dual WAN if I want to get both WAN external IPs available on a optional interface example : DMZ?
thevoice last edited by
Sorry I found the Network Port… now following other steps!
hvar: I believe there are other guides that do show how to do a bridge setup with an additional interface for management; this is the "traditional" way to setup a firewall bridge. This guide is for those wishing to setup a firewall bridge using only 2 interfaces.
seanlee last edited by
For virtual environments (VMware), what does the switching look like on the ESX host? Which NICS go on which vSwitch ports etc? I know you have to enable promiscuous mode…
I have 2 VM's, one is a CentOS VM with an IPV4 address (One NIC), and the other is a pfSense fw setup to be transparent (Two NICs, followed steps above). On the ESX host, I have a WAN vSwitch and a LAN vSwitch. The CentOS VM is on the LAN vSwitch (the LAN vSwitch has no uplinks at all). The pfSense VM has one NIC on the LAN vSwitch, and one NIC on the WAN vSwitch. As of right now, my CentOS VM can communicate out, but nothing can communicate in.
seanlee last edited by
micano last edited by
I have tried this setup and it worked to some extend. However, the idea is to configure limiters per host/ip based on layer 7 and/or general conditions.
1. When I create a simple rule with In/Out limiters to TCP/UDP everything works fine and the traffic is limited as supposed to.
2. As soon as I create L7+In/Out+TCP/UDP rule the traffic assigned to L7 rule seems to be blocked as well as some other(???).
L7 rule is: protocol - httpvideo, structure - limiter and a precreated limiter is assigned.
3. Dhcp, dhs, file sharing work fine with or without L7 rules being setup. And traffic is nicely assigned to a limiter dependent on conditions (destinations or source)
Could L7 limiters be setup in a bridge config? Has someone configured anything similar?
This link states that net.link.bridge.pfil_member should be set to "0" http://doc.pfsense.org/index.php/Traffic_Shaping_Guide
To which interface a floating rule should be applied? In some cases it doubles the speed configured by the limiter.
Any info would help. Thank You.
I have also tried this config in Hyper-V and after step 7 lost connectivity to pfsense. ifconfig down/up for all interfaces did not help.
Unfortunately, I made this guide AFTER I placed the system into production. It is possible that I missed a crucial step in writing the guide.
However, I would guess that if you are having trouble connecting to the web interface after step 7, I would highly suggest that you take a close look at your firewall rules.
In my case, I actually did not add ANY rules to the interfaces; I simply started with a single "Allow All" rule in the "Floating" rules section (step 6). Later on (step 10), I added allow rules for crucial services (INCLUDING THE WEB GUI) and then removed the "Allow All" rule.
It just occurred to me: the order in which you set the interfaces to 'none' in step 7 might be important. I would set WAN first, then LAN.
btarrh last edited by
Give this a try. I wrote this a few months back and it's in its final revision.
Transparent Firewall-Filtering Bridge - pfSense 2.0.2
http://people.pharmacy.purdue.edu/~tarrh/Transparent Firewall-Filtering Bridge - pfSense 2.0.2 By William Tarrh.pdf