Bridge + NAT



  • Hi Guys.

    I´m totaly newbee to pfsense, an i need some help.
    I hade a Cisco ASA witch died today and in trying to get online with Pfsense.

    I need a setup like:

    ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
                                        |                                |----server1(public ip)
                                        |                                |----server2(public ip)
                                        |                                |----server3(public ip)
                                        |
                                        |------VSwitch
                                                        |------ Server/ Management (NAT)

    i have read some treads and guides, and i´m a bit confused so i´m hoping there is some one that can explain is for me from scrats.
    i have a /28 subnet public IP addresses to use for my servers.



  • This may help in the case you would like to try bridging…

    http://forum.pfsense.org/index.php/topic,20917.0.html

    Or you could try the Virtual IP route.



  • Am i correct, Virtual IP is NAT/PAT???
    I need to run the firewall so that my servers can run on there public IP`s



  • virtual IP is used as a start with NAT/PAT … You will not use this in bridge or a routed subnet.



  • You don't need to NAT those public IPs.

    You can do this in pfSense, you need to switch to AON (Advanced Outbound NAT) to make rules for what should and shouldn't be NAT'd.



  • Okay, and how sould that roule look like?



  • You are not going to NAT on the servers crossing the bridge. Looks like you want to NAT server MGMT. Is this a computer or a iLO (or similar)? It will need to be something other than the server itself as you cannot send traffic down 2 paths.
    The advanced outbound NAT rules will have 127.0.0.1/32 -> WAN IP. And the server MGMT will NAT server mgmt net (ie. 10.1.2.0/24) -> WAN IP (or VIP).

    So the WAN will have and LAN and bridge0 (opt1) will not have an IP. The OPT2 (server mgmt interface) will need a private IP.

    You are going to need to setup rules on each interface. LAN and bridge0 will just need an allow all from any protocol/port. WAN will need the inbound rules to block/control traffic. opt2 (server mgmt) will need a wide open rule to start with and then once it is all working, restrict it.

    bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?



  • Short exp:

    HP Proliant Dl360 server with Vsphere 5 as OS.

    Running 8 VM´s with Public IP addresses.
    ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
                                        |                                |----server1(public ip)
                                        |                                |----server2(public ip)
                                        |                                |----server3(public ip)
                                        |
                                        |------VSwitch 
                                                        |
                                                        |------ Switch where all my servers are connected (back end net, where i mang. my vmware and so on)
                                                        |------ Server/ Management(private IP)

    Okay, i think i´m going to ceep it simple... only transparent/bridge firewall, i can still get in contact with my Vmware and just open a console window to a win server to mange pfsense.

    Can you sho me an example on a roule DMZ to Wan?



  • bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?

    Yearh i have noticed that…. :-) i started out beliving that this would be the easyest way, but no... :-/

    Its is web, mail and DNS servers so they need to run on public IP addresses



  • I run my mail and web servers behind a NAT. It just a matter of a correct configuration.



  • I would if possible, but its is not.
    All server config is based on the NIC IP address and it pulls it from the NIC, have tryed to change it but the IP is integrated in hosting controller software more then possible to change. none the less its way easier to manage it like this.. with the real IP´s allready integreted in the system.



  • Then your choice is either routed solution (preferred) or a bridge. There are several good write-ups on setting up a bridge.
    As far as the rules, you just have to allow any to x.y.z.a on port xxxx, keep state as a WAN rule and it should pass with all other being open.



  • i have used this guide:
    Go to interfaces- Assign- Bridges…  Create the Bridge. Add two interfaces to the bridge. WAN and OPT2. Rename the interfaces before now if your gonna. Helps keep track.

    Interfaces- Assign- Interface Assignments- create a new interface...  Choose the bridge.  Save.

    System Tunables'  and set net.link.bridge.pfil_bridge from 'default' to '1'

    Go to Interfaces- Bridge set up your address here...  DHCP, Static ect...

    Got to Firewall- NAT- Outbound...  Choose manual outbound rules.  Make sure the only rules there are for LAN and 127.0.0.1/8  (should be there with 2.1 automatically...  may be also 2.0.1 but I dont remember.)

    Go to Interfaces- WAN- set for none.

    Go to Interfaces- Opt2 (or whatever you named it.) set for none.

    Set up your firewall rules as needed.



  • I can not get it to work, when adding a Ip in the 28 subnet

    I made a clean install, gave the LAN port a 192.168.1.100 for mang.
    Followed:
    Create the Bridge. Add two interfaces to the bridge. WAN and OPT1. Rename the interfaces to bridge1.

    Interfaces- Assign- Interface Assignments- create a new interface…  Choose the bridge.  Save, renamed DMZ

    System Tunables'  and set net.link.bridge.pfil_bridge from 'default' to '1'

    Go to Interfaces- Bridge set up your address here...  12.12.12.18...

    Got to Firewall- NAT- Outbound...  Choose manual outbound rules.  Make sure the only rules there are for LAN and 127.0.0.1/8  (should be there with 2.1 automatically...  may be also 2.0.1 but I dont remember.)

    Go to Interfaces- WAN- set for none.

    Go to Interfaces- DMZ set for none.

    Created a allow all from DMZ to any.

    I can with a allow all roule from DMZ to any contact the Pfsense but no internet.



  • For now … set and any protocol any source, to any destination and any port on all interfaces till you know bridging it working correctly ...



  • Done, no luck… :-(

    Dos there need to be any gateway on pfsense?



  • Only for local services and anything on the LAN.



  • So no GW for WAN or DMZ?

    Only GW set on the server, if the PFsense is x.x.x.18 and the ISP GW is x.x.x.17 witch do i set on the server?



  • If i



  • It would be x.x.x.17 as the gateway on the server in a bridge.



  • @Mrd12:

    If i

    You can, but don't expect an answer right away … I only have very small amounts of time each day to look at that type of stuff.



  • Ofcource, no problem.

    I send you a PM allready asking one thing, did yoou se that?



  • It looks like you are missing rules on OPT1 outbound. Have you created any WAN rules to allow certain ports inbound?



  • OPT1 is the DMZport, (the 3. NIC addet and renamed DMZport)
    DMZport is the NIC for DMZ bridge.

    Do i need same roules on DMZ and DMZport?



  • Scrn. dmp






  • The rules










  • Funny thing… i can ping all public IP´s on the pfsense box (x.x.x.18 WAN IP) (x.x.x.19 Inside IP on the DMZ) but not the ISP GW x.x.x.17



  • Sorry, in the XML you sent there is only the rules for LAN and opt2. This is why I asked. The rules you posted are correct. Did you trace yet with tcpdump at each interface to see where the traffic is getting? Did you change the gateway on the servers to x.x.x.17? You cannot ping because you are not making is across the bridge. Can you ping in the LAN?



  • Don´t be.
    I think i send you the wrong one, from an erlier state of the setup… my bad.

    no i haven´t done that yet, going to do that now.

    The test server on the inside (DMZ) was allready using x.x.x.17 as GW

    No, getting reply from (server IP x.x.x.22) Destination host unreachable when pining 192.168.1.100 (Pfsense LAN IP)



    • <pfsense><version>8.0</version>
        <lastchange><theme>pfsense_ng</theme>
    • <sysctl>- - <descr>-   ]]></descr>
        <tunable>debug.pfftpproxy</tunable>
        <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>vfs.read_max</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.ip.portrange.first</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.blackhole</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.udp.blackhole</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.ip.random_id</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.drop_synfin</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.ip.redirect</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet6.ip6.redirect</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.syncookies</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.recvspace</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.sendspace</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.ip.fastforwarding</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.delayed_ack</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.udp.maxdgram</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.link.bridge.pfil_onlyip</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.link.bridge.pfil_member</tunable>
          <value>default</value>
    • <tunable>net.link.bridge.pfil_bridge</tunable>
        <value>1</value>
    • <descr>-   ]]></descr>
      • <descr>-   ]]></descr>
          <tunable>net.link.tap.user_open</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>kern.randompid</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.ip.intr_queue_maxlen</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>hw.syscons.kbd_reboot</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.inflight.enable</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.log_debug</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.icmp.icmplim</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>net.inet.tcp.tso</tunable>
          <value>default</value>
      • <descr>-   ]]></descr>
          <tunable>kern.ipc.maxsockbuf</tunable>
          <value>default</value></sysctl>
    • <system><optimization>normal</optimization>
        <hostname>pfSense</hostname>
        <domain>localdomain</domain>
        <dnsserver>194.239.134.83</dnsserver>
        <dnsserver>194.255.56.78</dnsserver>
        <dnsallowoverride>on</dnsallowoverride>
    • <group><name>all</name>
    • <description>-   ]]></description>
        <scope>system</scope>
        <gid>1998</gid>
        <member>0</member></group>
    • <group><name>admins</name>
    • <description>-   ]]></description>
        <scope>system</scope>
        <gid>1999</gid>
        <member>0</member>
        <priv>page-all</priv></group>
    • <user><name>admin</name>
    • <descr>-   ]]></descr>
        <scope>system</scope>
        <groupname>admins</groupname>
        <password>$1$fYQa/XXXXXXXXXXXXXXXXXXXXXX/0</password>
        <uid>0</uid>
        <priv>user-shell-access</priv>
        <md5-hash>XXXXXXXXXXXXXXXXXXXXXX</md5-hash>
        <nt-hash>XXXXXXXXXXXXXXXXXXXX</nt-hash></user>
        <nextuid>2000</nextuid>
        <nextgid>2000</nextgid>
        <timezone>Europe/Copenhagen</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>0.pfsense.pool.ntp.org</timeservers>
    • <webgui><protocol>http</protocol>
        <ssl-certref>503790c6435d6</ssl-certref></webgui>
        <disablenatreflection>yes</disablenatreflection>
        <disablesegmentationoffloading><disablelargereceiveoffloading></disablelargereceiveoffloading></disablesegmentationoffloading></system>
    • <interfaces>- <wan><enable><if>em0</if>
        <blockpriv><blockbogons>- <descr>-   ]]></descr>
        <spoofmac><ipaddr>83.XX:XX.18</ipaddr>
        <subnet>28</subnet>
        <gateway>WANGW</gateway></spoofmac></blockbogons></blockpriv></enable></wan>
    • <lan><enable><if>em1</if>
        <ipaddr>192.168.1.100</ipaddr>
        <subnet>24</subnet>
        <media><mediaopt>- <descr>-   ]]></descr></mediaopt></media></enable></lan>
    • <opt1>- <descr>-   ]]></descr>
        <if>em2</if>
        <enable><spoofmac></spoofmac></enable></opt1>
    • <opt2>- <descr>-   ]]></descr>
        <if>bridge0</if>
        <enable><ipaddr>83.XX:XX.19</ipaddr>
        <subnet>28</subnet>
        <spoofmac></spoofmac></enable></opt2></interfaces>
        <staticroutes>- <dhcpd>- <lan>- <range><from>192.168.1.10</from>
        <to>192.168.1.245</to></range></lan></dhcpd>
    • <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    • <dnsmasq><enable></enable></dnsmasq>
    • <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    • <diag>- <ipv6nat><ipaddr></ipaddr></ipv6nat></diag>
        <bridge><syslog>- <nat>- <ipsecpassthru><enable></enable></ipsecpassthru>
    • <advancedoutbound>- <rule>- <source>
        <network>192.168.1.0/24</network>

    <dstport>500</dstport>

    • <descr>-   ]]></descr>
        <target><interface>wan</interface>
    • <destination><any></any></destination>
        <staticnatport></staticnatport></target></rule>
    • <rule>- <source>
        <network>192.168.1.0/24</network>

    <sourceport>- <descr>-   ]]></descr>
      <target><interface>wan</interface>

    • <destination><any></any></destination>
        <natport></natport></target></sourceport></rule>
    • <rule>- <source>
        <network>127.0.0.0/8</network>

    <dstport>- <descr>-   ]]></descr>
      <target><interface>wan</interface>

    • <destination><any></any></destination>
        <natport>1024:65535</natport></target></dstport></rule>
        <enable></enable></advancedoutbound></nat>

    • <filter>- <rule><id><type>pass</type>
        <interface>wan</interface>
        <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>

    • <rule><type>pass</type>

    • <descr>-   ]]></descr>
        <interface>lan</interface>

    • <source>
        <network>lan</network>

    • <destination><any></any></destination></rule>

    • <rule><id><type>pass</type>
        <interface>opt1</interface>
        <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>

    • <rule><id><type>pass</type>
        <interface>opt2</interface>
        <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
        <os>- <source>
        <any>- <destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule></filter>
        <shaper>- <ipsec><preferoldsa></preferoldsa></ipsec>
        <aliases><proxyarp>- <cron>- <minute>0</minute>
        <hour></hour>
        <mday>
      </mday>
        <month></month>
        <wday>
      </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 newsyslog

    • <minute>1,31</minute>
        <hour>0-5</hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 adjkerntz -a

    • <minute>1</minute>
        <hour>3</hour>
        <mday>1</mday>
        <month></month>
        <wday>
      </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh

    • <minute>/60</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout

    • <minute>1</minute>
        <hour>1</hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update

    • <minute>/60</minute>
        <hour>
      </hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

    • <minute>30</minute>
        <hour>12</hour>
        <mday></mday>
        <month>
      </month>
        <wday>*</wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron>
        <wol>- <rrd><enable></enable></rrd>

    • <load_balancer>- <monitor_type><name>ICMP</name>
        <type>icmp</type>

    • <descr>-   ]]></descr></monitor_type>

    • <monitor_type><name>TCP</name>
        <type>tcp</type>

    • <descr>-   ]]></descr></monitor_type>

    • <monitor_type><name>HTTP</name>
        <type>http</type>

    • <descr>-   ]]></descr>

    • <options><path>/</path>
        <host>200</host></options></monitor_type>

    • <monitor_type><name>HTTPS</name>
        <type>https</type>

    • <descr>-   ]]></descr>

    • <options><path>/</path>
        <host>200</host></options></monitor_type>

    • <monitor_type><name>SMTP</name>
        <type>send</type>

    • <descr>-   ]]></descr>

    • <options><send><expect>220 *</expect></send></options></monitor_type></load_balancer>

    • <widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>

    • <revision><time>1345843007</time>

    • <description>-   ]]></description>
        <username>admin@192.168.1.101</username></revision>
        <openvpn>- <l7shaper><container></container></l7shaper>
        <dnshaper>- <cert><refid>503790c6435d6</refid>

    • <descr>-   ]]></descr>
        <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLRENDQTVHZ0F3SUJBZ0lKQU1sZ0hCbnF5ZFRKTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUcvTVFzd0NRWUQKVlFRR0V3SlZVekVTTUJBR0ExVUVDQk1KVTI5dFpYZG9aWEpsTVJFd0R3WURWUVFIRXdoVGIyMWxZMmwwZVRFVQpNQklHQTFVRUNoTUxRMjl0Y0dGdWVVNWhiV1V4THpBdEJnTlZCQXNUSms5eVoyRnVhWHBoZEdsdmJtRnNJRlZ1CmFYUWdUbUZ0WlNBb1pXY3NJSE5sWTNScGIyNHBNU1F3SWdZRFZRUURFeHREYjIxdGIyNGdUbUZ0WlNBb1pXY3MKSUZsUFZWSWdibUZ0WlNreEhEQWFCZ2txaGtpRzl3MEJDUUVXRFVWdFlXbHNJRUZrWkhKbGMzTXdIaGNOTVRJdwpPREkwTVRRek16UXlXaGNOTVRnd01qRTBNVFF6TXpReVdqQ0J2ekVMTUFrR0ExVUVCaE1DVlZNeEVqQVFCZ05WCkJBZ1RDVk52YldWM2FHVnlaVEVSTUE4R0ExVUVCeE1JVTI5dFpXTnBkSGt4RkRBU0JnTlZCQW9UQzBOdmJYQmgKYm5sT1lXMWxNUzh3TFFZRFZRUUxFeVpQY21kaGJtbDZZWFJwYjI1aGJDQlZibWwwSUU1aGJXVWdLR1ZuTENCegpaV04wYVc5dUtURWtNQ0lHQTFVRUF4TWJRMjl0Ylc5dUlFNWhiV1VnS0dWbkxDQlpUMVZTSUc1aGJXVXBNUnd3CkdnWUpLb1pJaHZjTkFRa0JGZzFGYldGcGJDQkJaR1J5WlhOek1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R04KQURDQmlRS0JnUUMzeGs0alBDOVdpUSswajdHbVBFWkdKVm93Mm1kSERCek9kRFBzZ0x1YnhiS1BvUzFQTjBiMgoydnZxemZrejhoUG9DdzZiQ0dkUC94eDIyOWlrMXJpeStjQnF3aWdzeXBETml6QkpSNU9MODE0MGhybGFjSDd4CkpQZFNja3NJV1dtcVFvS3YwWENvRTdPb0RvdWNxUk90RU5ITWxGUW45SkZLTjVRM1ZzRFpjUUlEQVFBQm80SUIKS0RDQ0FTUXdIUVlEVlIwT0JCWUVGRWxoa1REUDNabGowUFNOWjBVZlFoWE9lVk5kTUlIMEJnTlZIU01FZ2V3dwpnZW1BRkVsaGtURFAzWmxqMFBTTlowVWZRaFhPZVZOZG9ZSEZwSUhDTUlHL01Rc3dDUVlEVlFRR0V3SlZVekVTCk1CQUdBMVVFQ0JNSlUyOXRaWGRvWlhKbE1SRXdEd1lEVlFRSEV3aFRiMjFsWTJsMGVURVVNQklHQTFVRUNoTUwKUTI5dGNHRnVlVTVoYldVeEx6QXRCZ05WQkFzVEprOXlaMkZ1YVhwaGRHbHZibUZzSUZWdWFYUWdUbUZ0WlNBbwpaV2NzSUhObFkzUnBiMjRwTVNRd0lnWURWUVFERXh0RGIyMXRiMjRnVG1GdFpTQW9aV2NzSUZsUFZWSWdibUZ0ClpTa3hIREFhQmdrcWhraUc5dzBCQ1FFV0RVVnRZV2xzSUVGa1pISmxjM09DQ1FESllCd1o2c25VeVRBTUJnTlYKSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUpUdGorNlVhZmg0MHdyRE90Z3JDamw5Mk5kUQpyNVNiWDVVWmRtWFhRcXRwV3lkUTBpVWIrWDhrdHdCeW03dW93S0p0bjUyOWhxc0tNclZLVVVsWlA0Tm01T2JTCk9iYlA4TTMxV3VmMHd5UTF1REdWbXpiNHlRdEVNQjg3VWVUVEx1cU0vR2dwR2tSc0U3SGE0LzdjTGxKdVJXYVcKd1hUOEl0Ky91YXhSMEZtNgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
        <prv>R2VuZXJhdGluZyBSU0EgcHJpdmF0ZSBrZXksIDEwMjQgYml0IGxvbmcgbW9kdWx1cwouLi4uLi4uLi4uLi4uKysrKysrCi4uKysrKysrCnVuYWJsZSB0byB3cml0ZSAncmFuZG9tIHN0YXRlJwplIGlzIDY1NTM3ICgweDEwMDAxKQotLS0tLUJFR0lOIFJTQSBQUklWQVRFIEtFWS0tLS0tCk1JSUNYQUlCQUFLQmdRQzN4azRqUEM5V2lRKzBqN0dtUEVaR0pWb3cybWRIREJ6T2REUHNnTHVieGJLUG9TMVAKTjBiMjJ2dnF6Zmt6OGhQb0N3NmJDR2RQL3h4MjI5aWsxcml5K2NCcXdpZ3N5cEROaXpCSlI1T0w4MTQwaHJsYQpjSDd4SlBkU2Nrc0lXV21xUW9LdjBYQ29FN09vRG91Y3FST3RFTkhNbEZRbjlKRktONVEzVnNEWmNRSURBUUFCCkFvR0FEdnJORjdZcUxhV1NjQ2RlVmF5SUZlT3BqRjNoR1R0MWhhYVhMT241WU9NbWdPcWtaTmFlcERTSllFUlYKMGRRanAwQnZlbGVmQkRoSk82OEQ0N3ZVNWk1Q21GMGd6bHdYOUVyMStSSUV4ejA5OUxUNERYdXVOV1h5R2hFLwo2dzJzclN2RmhTNjBiYUw2ZlN6ZXg2RXp6WVNHVzI0eldQbmJRelovOW52TW1pRUNRUUR4RTN2Ymk1Q2dWdTFLCjVxQWdOcW9sZ2tjK25aUmxHdi9WeW01UE5WOXAvM2NPQWNJUTB1WnVnZDdsQ3lkaG5SajAvbnlqWTdGN1Yrc3IKTzFabEpSWTlBa0VBd3lhNHFvNmtMRGxJUzB3T0xJdXdpZ280MjhTaEtFRVpkZXVlMzJ0VWhCVU13QVVOWHNjbApFSEFzUzdob1BzVEF3YVJaeVZGL0l6MkpoTVJlYWxIM1JRSkFKYk5mVmtrd04vTUFMd3Q4RlMyWFZFQllkZkZjCnlLYjlSV2pmOFdFdVo3dzgyU0xyUDRoTDR4SktVbFY1TmluRVFtUWVCOHRLY1RpaG5XUXRNYW9vSFFKQU1wd0UKSUJkRjlFSVd3WkJEek1HZFV1ODd0NkxTdUlISmZJOVNjRmFCWUkrazh0ZGNsRXZKRE81S1RvalFZQmJlZGxtTQovMnluTUJoeFpZRVhpek1la1FKQkFJOXFjcUJYTk11clpnQ0FMWEJkU001V2N3UWVhR1FXWC9Za3c1N0lmTXhoCkF2L2U2dEZtekUxSGR1QjlEZjJzQlBoNFkwRUp6TWlBU2l4LzBPRm01azg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==</prv></cert>
        <ppps>- <gateways>- <gateway_item><interface>wan</interface>
        <gateway>83.XX:XX.17</gateway>
        <name>WANGW</name>
        <weight>1</weight>

    • <descr>-   ]]></descr>
        <defaultgw></defaultgw></gateway_item></gateways>

    • <bridges>- <bridged><members>wan,opt1</members>

    • <descr>-   ]]></descr>
        <maxaddr><timeout><maxage><fwdelay><hellotime><priority><proto>rstp</proto>
        <holdcount><ifpriority><ifpathcost><bridgeif>bridge0</bridgeif></ifpathcost></ifpriority></holdcount></priority></hellotime></fwdelay></maxage></timeout></maxaddr></bridged></bridges>

    • <wizardtemp>- <system><hostname>pfSense</hostname>
        <domain>localdomain</domain></system>
        <wangateway>83.xx.xx.17</wangateway></wizardtemp></ppps></dnshaper></openvpn></wol></proxyarp></aliases></shaper></syslog></bridge></staticroutes></lastchange></pfsense>



  • I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)



  • Funny thing….
    If i move a server from DMZ to the WAN swict it all works inet in and out and if i move same server back to WAN it works for 2-5 min then it stops..



  • @Mrd12:

    I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)

    Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.



  • @podilarius:

    @Mrd12:

    I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)

    Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.

    I have NO trobble to get the servers to work when i put them on the WAN NIC, but as soon they are put back on DMZ the stop having access to the internet. (sucks)

    a 1000 thanks for your effort trying to help, its very appreciated :-)



  • @podilarius:

    @Mrd12:

    I see now that i have forgot to write that the Pfsense is on a Vsphere 5 (ESX)

    Yeah, I don't know how a bridge in ESX will behave. It could work perfectly and there is a minor thing we are overlooking, or it is just not stable. I don't have much experience with bridges in ESX. Have you tried permiscious mode on the WAN and OPT vswitches. that is not ideal, but just to test should not hurt.

    Forgot, Yes i have tryed every combination of permiscious mode on WAN and DMZ switch. even all set on at the same time.



  • Finaly i got some thing to work.

    Reinstalled it with a 32 bit vertion (don´t ask why that worked) and followed the guides mention erlier.
    And bam, internet from inside and out worked on some of the servers with public IP address….... but,
    For some reason it only works if the server with public IP uses the pfsense as gateway (xx.xx.xx.18) and not the ISP Gateway (xx.xx.xx.17 ???

    Colud that be some roules?
    Only made allow all from opt1 (DMZ with Public IP) to all



  • That is unusual, if it is a true bridge, you use the ISP gateway. What you are describing is a hybrid bridge/router. What does your traceroute look like from the server? I have been meaning to test bridging in esx and 2.1, so i might give this a try in the lab. :)



  • Well as written in the first post, there is a LAN interface for manag. and connecting to my backend net.
    ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
                                        |                                |----server1(public ip)
                                        |                                |----server2(public ip)
                                        |                                |----server3(public ip)
                                        |
                                        |------VSwitch
                                                        |------ Server/ Management (NAT)



  • Yes, I read what I posted. Not what I meant on the LAN/WAN side. That is a NATed solution, not even a routed solution. I was refering to the WAN/OPT1 bridge. A bridge acts like a smart switch and you should not need an IP much less using WAN / Bridge as a gateway.



  • Aaah, sorry, I misunderstud you´re first post to day..


Locked