Bridge + NAT

Mrd12

Hi Guys.

I´m totaly newbee to pfsense, an i need some help.
I hade a Cisco ASA witch died today and in trying to get online with Pfsense.

I need a setup like:

i have read some treads and guides, and i´m a bit confused so i´m hoping there is some one that can explain is for me from scrats.
i have a /28 subnet public IP addresses to use for my servers.

Deviant

This may help in the case you would like to try bridging…

http://forum.pfsense.org/index.php/topic,20917.0.html

Or you could try the Virtual IP route.

Mrd12

Am i correct, Virtual IP is NAT/PAT???
I need to run the firewall so that my servers can run on there public IP`s

podilarius

virtual IP is used as a start with NAT/PAT … You will not use this in bridge or a routed subnet.

SeventhSon

You don't need to NAT those public IPs.

You can do this in pfSense, you need to switch to AON (Advanced Outbound NAT) to make rules for what should and shouldn't be NAT'd.

Mrd12

Okay, and how sould that roule look like?

podilarius

You are not going to NAT on the servers crossing the bridge. Looks like you want to NAT server MGMT. Is this a computer or a iLO (or similar)? It will need to be something other than the server itself as you cannot send traffic down 2 paths.
The advanced outbound NAT rules will have 127.0.0.1/32 -> WAN IP. And the server MGMT will NAT server mgmt net (ie. 10.1.2.0/24) -> WAN IP (or VIP).

So the WAN will have and LAN and bridge0 (opt1) will not have an IP. The OPT2 (server mgmt interface) will need a private IP.

You are going to need to setup rules on each interface. LAN and bridge0 will just need an allow all from any protocol/port. WAN will need the inbound rules to block/control traffic. opt2 (server mgmt) will need a wide open rule to start with and then once it is all working, restrict it.

bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?

Mrd12

Short exp:

HP Proliant Dl360 server with Vsphere 5 as OS.

Running 8 VM´s with Public IP addresses.
ISP–---------WAN==pfsense2.0.1==LAN---------VSwitch
| |----server1(public ip)
| |----server2(public ip)
| |----server3(public ip)
|
|------VSwitch
|
|------ Switch where all my servers are connected (back end net, where i mang. my vmware and so on)
|------ Server/ Management(private IP)

Okay, i think i´m going to ceep it simple... only transparent/bridge firewall, i can still get in contact with my Vmware and just open a console window to a win server to mange pfsense.

Can you sho me an example on a roule DMZ to Wan?

Mrd12

bridges are somewhat complex. either NAT or routed (which trumps all) is better. why does the servers need live IPs?

Yearh i have noticed that…. :-) i started out beliving that this would be the easyest way, but no... :-/

Its is web, mail and DNS servers so they need to run on public IP addresses

podilarius

I run my mail and web servers behind a NAT. It just a matter of a correct configuration.

Mrd12

I would if possible, but its is not.
All server config is based on the NIC IP address and it pulls it from the NIC, have tryed to change it but the IP is integrated in hosting controller software more then possible to change. none the less its way easier to manage it like this.. with the real IP´s allready integreted in the system.

podilarius

Then your choice is either routed solution (preferred) or a bridge. There are several good write-ups on setting up a bridge.
As far as the rules, you just have to allow any to x.y.z.a on port xxxx, keep state as a WAN rule and it should pass with all other being open.

Mrd12

i have used this guide:
Go to interfaces- Assign- Bridges… Create the Bridge. Add two interfaces to the bridge. WAN and OPT2. Rename the interfaces before now if your gonna. Helps keep track.

Interfaces- Assign- Interface Assignments- create a new interface... Choose the bridge. Save.

System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'

Go to Interfaces- Bridge set up your address here... DHCP, Static ect...

Got to Firewall- NAT- Outbound... Choose manual outbound rules. Make sure the only rules there are for LAN and 127.0.0.1/8 (should be there with 2.1 automatically... may be also 2.0.1 but I dont remember.)

Go to Interfaces- WAN- set for none.

Go to Interfaces- Opt2 (or whatever you named it.) set for none.

Set up your firewall rules as needed.

Mrd12

I can not get it to work, when adding a Ip in the 28 subnet

I made a clean install, gave the LAN port a 192.168.1.100 for mang.
Followed:
Create the Bridge. Add two interfaces to the bridge. WAN and OPT1. Rename the interfaces to bridge1.

Interfaces- Assign- Interface Assignments- create a new interface… Choose the bridge. Save, renamed DMZ

System Tunables' and set net.link.bridge.pfil_bridge from 'default' to '1'

Go to Interfaces- Bridge set up your address here... 12.12.12.18...

Got to Firewall- NAT- Outbound... Choose manual outbound rules. Make sure the only rules there are for LAN and 127.0.0.1/8 (should be there with 2.1 automatically... may be also 2.0.1 but I dont remember.)

Go to Interfaces- WAN- set for none.

Go to Interfaces- DMZ set for none.

Created a allow all from DMZ to any.

I can with a allow all roule from DMZ to any contact the Pfsense but no internet.

podilarius

For now … set and any protocol any source, to any destination and any port on all interfaces till you know bridging it working correctly ...

Mrd12

Done, no luck… :-(

Dos there need to be any gateway on pfsense?

podilarius

Only for local services and anything on the LAN.

Mrd12

So no GW for WAN or DMZ?

Only GW set on the server, if the PFsense is x.x.x.18 and the ISP GW is x.x.x.17 witch do i set on the server?

Mrd12

If i

podilarius

It would be x.x.x.17 as the gateway on the server in a bridge.