Bridging public IP subnet for WAN and OPT1



  • I am trying to do a transparent firewall with one public IP subnet. The idea being that I bridge the WAN with the OPT1 and they are able to process traffic using the same subnet. I I have a server attached to a switch connected the OPT1 port and I can ping the IP address on the WAN interface. I just can't ping anything else beyond the WAN. What do I need to do for it to work? Is this even possible?

    Thanks

    J



  • I can't be the first person to have wanted to do this. I have done a lot of searching and I have it configured as it should be. Technically it's "bridged" but if can't route out to the internet then it's pretty useless for me. Anyone?


  • Netgate Administrator

    Normally in a transparent firewall you would have both interfaces set to 'none'. Only the third management interface having an IP or the bridge interface itself.

    What have you done so far exactly?

    Steve



  • Steve

    I guess that is the part I don't understand. Why would both be set to none and why does there need to be a third network involved?

    What I have done so far:

    1. Configured the WAN interface with a public IP. We will say 111.111.111.19/29 with a gateway of 111.111.111.17
    2. Turned off NAT
    3. Enabled net.link.bridge.pfil_bridge
    4.Enabled the OPT1 interface without any further configuration for the interface.
    5. Configured with the Bridge with the WAN and OPT interface. No advanced settings were configured.

    What I want to accomplish is this. I have a public /29 subnet. I want to be able use and firewall the whole subnet with only one outside interface.

    Thanks for your help.

    J


  • Netgate Administrator

    Whilst you don't need a third interface it's often easier to conceptualise and to get your firewall rules in place if you aren't using the bridged interfaces for management.

    I should probably state here that I've only ever done this once and then only as an experiment so if anyone else feels like chiming in feel free.  :)

    I assume you have read this?: http://pfsense.trendchiller.com/transparent_firewall.pdf

    Although that's written as a guide for 1.2.3 the concepts are still the same. Bridging changed significantly between 1.2.3 and 2.X though.

    It looks like you have three NICs in the machine (at least) yes?

    Consider that what you want to end up with is something more like a managed switch than a traditional firewall configuration. Traffic flows through it in both directions between machines on each side without interacting with the firewall at all. There is no routing.

    There is some difficulty getting everything configured because of the way that interfaces have to be re-assigned, it's easy to end up locking yourself out. Put in some very permissive rules on each interface until you are satisfied it is correct.

    The setup you are aiming for is WAN and OPT1 both set as type 'none'. WAN and OPT1 added as members to a bridge, bridge0. LAN as type static with one of your public IPs and assigned to bridge0. 2 NICs in use.
    net.link.bridge.pfil_bridge set to 1.

    Once there you should be able to access the webgui on the public IP, provided your machine is in the same subnet. You can then set firewall rules on all three interfaces. On LAN (bridge0) you probably want to allow only traffic to the webGUI. On WAN and OPT1 you can add rules to allow/block traffic across the bridge in each direction. You will have to add a gateway to LAN in order for pfSense to check for updates etc.

    Hmm, I think that's what I would do. As I said I'm a bit vague here. :P

    Steve

    Edit: I did a test with a spare box I had to remind myself. That works as expected.
    The confusing thing here is the interface names stop having any useful meaning. They can be renamed though.



  • @Atomjax:

    Steve

    I guess that is the part I don't understand. Why would both be set to none and why does there need to be a third network involved?

    What I have done so far:

    1. Configured the WAN interface with a public IP. We will say 111.111.111.19/29 with a gateway of 111.111.111.17
    2. Turned off NAT
    3. Enabled net.link.bridge.pfil_bridge
    4.Enabled the OPT1 interface without any further configuration for the interface.
    5. Configured with the Bridge with the WAN and OPT interface. No advanced settings were configured.

    What I want to accomplish is this. I have a public /29 subnet. I want to be able use and firewall the whole subnet with only one outside interface.

    Thanks for your help.

    J

    When you put interfaces into a bridge, you generally no-longer will set an IP to the interfaces directly. You will assign an ip to the bridge itself which is like a virtual nic that is present on the bridge. So essentially do not set any IP on WAN, set the IP on Bridge0 instead.


Locked