Hosts behind Transparent Bridge are displayed with Bridge IP as source IP



  • Hi,

    I'm running very well a Transparent Bridge with some hosts behind it. (1.2 BETA 1 with snapshot 06-06-2007)

    I have used this manual: http://pfsense.trendchiller.com/transparent_firewall.pdf

    When I connect a Windows host behind the Transparent Bridge with a public IP ofcourse, and I go to a website that shows me my host IP, I see the IP that is set on the WAN-side of the Bridge as shown in the manual.

    What can be wrong here ? Everything is done as in the manual and I can't find any solution.

    I hope for some help.

    Cheers,

    Matt



  • Hosts behind the bridge should use the upstream routers gateway, not the firewall's.



  • @sullrich:

    Hosts behind the bridge should use the upstream routers gateway, not the firewall's.

    What do you mean exactly here ?

    I use he default gateway as I used before, so that is my router in front of the Pfsense box.

    I don't know else what is going wrong.



  • I still have found no solution for this.

    There are some people saying it works like it should and a bridge should have no IP at all, but when I point them to this manual it keeps quiet.

    Do I just have to remove the IP form the WAN-side as how it's done in this manual above ?



  • @Matts:

    I still have found no solution for this.

    There are some people saying it works like it should and a bridge should have no IP at all, but when I point them to this manual it keeps quiet.

    Do I just have to remove the IP form the WAN-side as how it's done in this manual above ?

    I would expect so - the whole point of a transparent bridge is that it has no IP addresses on it's visible interfaces (though it may have a management interface with an IP assigned to it).



  • @Cry:

    @Matts:

    I still have found no solution for this.

    There are some people saying it works like it should and a bridge should have no IP at all, but when I point them to this manual it keeps quiet.

    Do I just have to remove the IP form the WAN-side as how it's done in this manual above ?

    I would expect so - the whole point of a transparent bridge is that it has no IP addresses on it's visible interfaces (though it may have a management interface with an IP assigned to it).

    The problem is the Gui wants to have an IP on WAN



  • @Matts:

    @sullrich:

    Hosts behind the bridge should use the upstream routers gateway, not the firewall's.

    What do you mean exactly here ?
    I use he default gateway as I used before, so that is my router in front of the Pfsense box.
    I don't know else what is going wrong.

    do your clients use the pf's lan ip or the router in front if pfsense as gateway?



  • @GruensFroeschli:

    @Matts:

    @sullrich:

    Hosts behind the bridge should use the upstream routers gateway, not the firewall's.

    What do you mean exactly here ?
    I use he default gateway as I used before, so that is my router in front of the Pfsense box.
    I don't know else what is going wrong.

    do your clients use the pf's lan ip or the router in front if pfsense as gateway?

    IP of the router in front of pfsense



  • Hi,

    I have a similar setup and everything (besides a strange problem, which does not seem to be related to this here - see http://forum.pfsense.org/index.php/topic,5439.0.html) seems to work. However, I use as default gateway for the client the ip of the pfsense brdiged interface. Why is this a problem, since everything seems to work smoothly - from outside I see the correct IP as source (Advanced Outbound NAT is enabled with NO rules for LAN)?

    Best regards
    Arno



  • @wacko:

    Hi,

    I have a similar setup and everything (besides a strange problem, which does not seem to be related to this here - see http://forum.pfsense.org/index.php/topic,5439.0.html) seems to work. However, I use as default gateway for the client the ip of the pfsense brdiged interface. Why is this a problem, since everything seems to work smoothly - from outside I see the correct IP as source (Advanced Outbound NAT is enabled with NO rules for LAN)?

    Best regards
    Arno

    Hi I have changed on one machine the gateway to the WAN IP of the bridge and still the same problem.

    I have on * * * * * * rule on LAN, so everything to the outside world is allowed.

    Advanched Outbound NAT ? what do you mean here ? I don't have to NAT because my hosts are using the public IP's they used also before without pfsense.



  • @wacko:

    Hi,

    I have a similar setup and everything (besides a strange problem, which does not seem to be related to this here - see http://forum.pfsense.org/index.php/topic,5439.0.html) seems to work. However, I use as default gateway for the client the ip of the pfsense brdiged interface. Why is this a problem, since everything seems to work smoothly - from outside I see the correct IP as source (Advanced Outbound NAT is enabled with NO rules for LAN)?

    Best regards
    Arno

    This is wrong.  You should be using the upstream routers IP address that would be pfSenses gateway if it was doing NAT.

    IE: whatever pfSense's upstream gateway would be if it was doing dhcp on WAN would be the clients gateway behind pfSense.  And the client behind pfSense would be using public IP addresses within the subnet that the upstream router is configured for.



  • @sullrich:

    @wacko:

    Hi,

    I have a similar setup and everything (besides a strange problem, which does not seem to be related to this here - see http://forum.pfsense.org/index.php/topic,5439.0.html) seems to work. However, I use as default gateway for the client the ip of the pfsense brdiged interface. Why is this a problem, since everything seems to work smoothly - from outside I see the correct IP as source (Advanced Outbound NAT is enabled with NO rules for LAN)?

    Best regards
    Arno

    This is wrong.  You should be using the upstream routers IP address that would be pfSenses gateway if it was doing NAT.

    IE: whatever pfSense's upstream gateway would be if it was doing dhcp on WAN would be the clients gateway behind pfSense.  And the client behind pfSense would be using public IP addresses within the subnet that the upstream router is configured for.

    ok.. understood that it should be done like that. But I still don't get the point of WHY to do it like that? Where is the benefit? Right now my clients are served with public ips directly from the pfsense's box dhcp-server - my upstream router is just router, and no dhcp server. Of course i could just tell my dhcp-server in pfsense to provide the clients with the upstrem router ip as the gateway.. (right now it is in default, hence it provides the pfsens-LAN ip). Hence, I do uses the public ips without NATing - from outside everybody sees the source ip of the client  (due to AON) - so everything works from this point as expected.

    Don't understand me wrong: I just want to know where the reason lies for using the upstream gateway also for the clients (Maybe efficeincy?)

    Best regards,
    Arno



  • That is simply how a bridge works.  Think of it as a dumb hub between two devices (your client machines and the router) that can do filtering in between.  Also think of it as a stealth firewall.

    The client needs to use the upstream router as the default gateway just as it would with a hub in between.



  • OK.. thanks. got that. That means, right now (using the pfsense ip as gateway) I just have an additional hop in my path which simply is not necessary. Or what really happens right now with my packets - they go from the client to the pfsense box, which puts them back on the same network (since it is bridiged) with a different default gateway? Is that it?

    Could something like that "confuse" the pf-rules? Or what are the consequences of that? (This is just of interest now - I'll change the default route to the upstream - router).

    Thanks
    Arno



  • pfSense is most likely natting the traffic.

    I would change the default gateway in DHCP Server to hand out pfSense's gateway ip (the ip address of the router/modem).



  • @sullrich:

    pfSense is most likely natting the traffic.

    Yea.. it did that in the beginning. Then I switche to AON, and removed the rule for LAN. So now, there is no NAT for the LAN.

    Anyway.. I'll re-set the gateway to the upstream router and compare the behaviour..

    Thanks again.
    Arno



  • I'm thinking of doing the same thing - pfSense box as transparent firewall, with WAN, LAN and OPT1 interface, two interfaces bridged and one for management. My idea is to try what will happen if I set ip 0.0.0.0 to the WAN interface. Hope I'll have the time to try it the next few days.

    PS: I think that many people would like to use the same scenario, maybe you would like to include it as an option?

    PS1: Sorry for my bad English, hope you understood me :)



  • As far as I know, if you set the WAN ip (bridged to 0.0.0.0 this will break everything, because this is the one which is really used. Setting the LAN ip to 0.0.0.0 could work with some constrains. Actually there have been reports here that you can set the LAN-IP to wahtever - but any suggestion brings another drawback - for example, you loose the dhcpd if you don't set the LAN-IP in the same subnet as the WAN. But don't try to set it to the very same ip - this leads to a lot of head-banging problems (e.g. random disconnects).

    Anyway.. this is also just part gathered experience and reading different post about transparent firewalling. See also my other thread about strange issues with transparent bridge mode here http://forum.pfsense.org/index.php/topic,5441.0.html.

    PS: In my setup, I still used for the clients the pfSense as default gateway (even though from technical point of view I would not recommend that, if there is no particular reason) - In my case I have to do it like that because my pfSense has also some private networks attached to it, which I need to access  - using an upstream router as default gateway works perfectly for the clients, however access to the private networks attached to the pfSense box does not work anymore.



  • But I still don't get how to solve this issue and why it exists.

    Any suggestions ?



  • @Matts: Which issue? There hve been a few discussed until now ;)

    If you refere to your initial issue, i.e. "seeing" the ip of pfSense as the source instead of the clients ip, then my solution for this Problem was simply a matter of enabling "Advance Outbound NAT" and deleting the default rule for LAN (the bridged interface). Hence, there is no NAT for this network and thus ip are not re-written.

    Hope this helps.
    Arno



  • @wacko:

    @Matts: Which issue? There hve been a few discussed until now ;)

    If you refere to your initial issue, i.e. "seeing" the ip of pfSense as the source instead of the clients ip, then my solution for this Problem was simply a matter of enabling "Advance Outbound NAT" and deleting the default rule for LAN (the bridged interface). Hence, there is no NAT for this network and thus ip are not re-written.

    Hope this helps.
    Arno

    Hi Arno,

    Yeah thanks again !

    I understand what you mean, but maybe you can give an example.

    On the LAN there is a default * * * * *  rule, so everything form LAN to WAN is allowed. This rule has to be removed ?

    and maybe you can make this more clear "Advance Outbound NAT", I was not able to find an option like that anywhere. I hope you can give an example too.

    Thanks again.

    Matts



  • Ok..

    I assume you only have LAN and WAN connected, which are bridged.

    Under Firewall->Rules on the LAN Tab there should be the mentioned "any-thing is allowed rule". Don't change that. This means people on the LAN can do whatever they want, nothing is restricted.

    No go to Firewall->NAT and click on the last tap "Oubound". Per default the upper radio-button ("Automatic outbound NAT rule generation (IPSEC passthrough)") is selected. Now select the second radio button ("Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))") and hit save. Now a automatically rule for LAN is displayed in the lower area. Just delete (or deactivate) this rule and apply the changes. From now on, your LAN is not NATed anymore, but only routed. Hence, "outside" the real ips of the clients will be seen.

    This of course only makes sense if you have a bunch ob PUBLIC ip adresses….

    Hope it becomes clearer now - just ask if there are still unclear things.

    Best regards,
    Arno



  • Hi Arno,

    Thanks, this works perfectly !

    I think this thread is very usefull for further use.

    Thanks again !

    Cheers,

    Matts



  • hi all!

    thanks to this post i also managed to get things working, but something i am still wondering about:

    i am loosing 2 of my official ip's on the pfsense machine.

    does this have to be this way or am i just having a configuration black out, but when i use private ip's on the machine nothing is going thru.

    best regards

    CC


Log in to reply