Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridging public IP subnet for WAN and OPT1

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Atomjax
      last edited by

      I am trying to do a transparent firewall with one public IP subnet. The idea being that I bridge the WAN with the OPT1 and they are able to process traffic using the same subnet. I I have a server attached to a switch connected the OPT1 port and I can ping the IP address on the WAN interface. I just can't ping anything else beyond the WAN. What do I need to do for it to work? Is this even possible?

      Thanks

      J

      1 Reply Last reply Reply Quote 0
      • A
        Atomjax
        last edited by

        I can't be the first person to have wanted to do this. I have done a lot of searching and I have it configured as it should be. Technically it's "bridged" but if can't route out to the internet then it's pretty useless for me. Anyone?

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Normally in a transparent firewall you would have both interfaces set to 'none'. Only the third management interface having an IP or the bridge interface itself.

          What have you done so far exactly?

          Steve

          1 Reply Last reply Reply Quote 0
          • A
            Atomjax
            last edited by

            Steve

            I guess that is the part I don't understand. Why would both be set to none and why does there need to be a third network involved?

            What I have done so far:

            1. Configured the WAN interface with a public IP. We will say 111.111.111.19/29 with a gateway of 111.111.111.17
            2. Turned off NAT
            3. Enabled net.link.bridge.pfil_bridge
            4.Enabled the OPT1 interface without any further configuration for the interface.
            5. Configured with the Bridge with the WAN and OPT interface. No advanced settings were configured.

            What I want to accomplish is this. I have a public /29 subnet. I want to be able use and firewall the whole subnet with only one outside interface.

            Thanks for your help.

            J

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Whilst you don't need a third interface it's often easier to conceptualise and to get your firewall rules in place if you aren't using the bridged interfaces for management.

              I should probably state here that I've only ever done this once and then only as an experiment so if anyone else feels like chiming in feel free.  :)

              I assume you have read this?: http://pfsense.trendchiller.com/transparent_firewall.pdf

              Although that's written as a guide for 1.2.3 the concepts are still the same. Bridging changed significantly between 1.2.3 and 2.X though.

              It looks like you have three NICs in the machine (at least) yes?

              Consider that what you want to end up with is something more like a managed switch than a traditional firewall configuration. Traffic flows through it in both directions between machines on each side without interacting with the firewall at all. There is no routing.

              There is some difficulty getting everything configured because of the way that interfaces have to be re-assigned, it's easy to end up locking yourself out. Put in some very permissive rules on each interface until you are satisfied it is correct.

              The setup you are aiming for is WAN and OPT1 both set as type 'none'. WAN and OPT1 added as members to a bridge, bridge0. LAN as type static with one of your public IPs and assigned to bridge0. 2 NICs in use.
              net.link.bridge.pfil_bridge set to 1.

              Once there you should be able to access the webgui on the public IP, provided your machine is in the same subnet. You can then set firewall rules on all three interfaces. On LAN (bridge0) you probably want to allow only traffic to the webGUI. On WAN and OPT1 you can add rules to allow/block traffic across the bridge in each direction. You will have to add a gateway to LAN in order for pfSense to check for updates etc.

              Hmm, I think that's what I would do. As I said I'm a bit vague here. :P

              Steve

              Edit: I did a test with a spare box I had to remind myself. That works as expected.
              The confusing thing here is the interface names stop having any useful meaning. They can be renamed though.

              1 Reply Last reply Reply Quote 0
              • E
                extide
                last edited by

                @Atomjax:

                Steve

                I guess that is the part I don't understand. Why would both be set to none and why does there need to be a third network involved?

                What I have done so far:

                1. Configured the WAN interface with a public IP. We will say 111.111.111.19/29 with a gateway of 111.111.111.17
                2. Turned off NAT
                3. Enabled net.link.bridge.pfil_bridge
                4.Enabled the OPT1 interface without any further configuration for the interface.
                5. Configured with the Bridge with the WAN and OPT interface. No advanced settings were configured.

                What I want to accomplish is this. I have a public /29 subnet. I want to be able use and firewall the whole subnet with only one outside interface.

                Thanks for your help.

                J

                When you put interfaces into a bridge, you generally no-longer will set an IP to the interfaces directly. You will assign an ip to the bridge itself which is like a virtual nic that is present on the bridge. So essentially do not set any IP on WAN, set the IP on Bridge0 instead.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.