Setting bridging wan for assign public ip behind the pfsense box



  • Hello everybody,

    I'm having huge problem understanding/configuring WAN bridging on my pfsense box. Here is my current config.

    ISP-GW (214.11.95.254) –----- WAN-IF (214.11.95.253) ------- LAN-IF (10.0.2.0/24)

    I have also ext ip subnet (214.11.67.216/30), which is routed to my ext ip 214.11.95.253
    I'm using openvpn to allow access to internal network and ipsec to connect another site, so users outside the network first connecting to internal resources via vpn and then are able to use ipsec tunnel. I'm also having NAT for local users and port forwarding for some local servers.
    Voip gateway which is inside my lan and I'm using siproxd for nating layer7 headers. Unfortunatelly I'm encountering some problems and I have to change approach, so the sollution is to use bridging. And now what I want to achieve:

    ISP-GW (214.11.95.254) ------- WAN-IF (214.11.95.253) ------- LAN-IF (10.0.2.0/24)
                                                                                          |
                                                                                          |----------- VOIP-IF (214.11.67.218 where GW is 214.11.67.217)

    VOIP-IF is an interface of voip gw which is connected to free NIC port on pfsense box.

    I've created a WAN bridge and my interfaces looks like this:
    WAN (ale0) - 214.11.67.216
    LAN (em0) - 10.0.2.0/24
    VOIP (rl0) - no address/ type none - ext ip is assigned on the voip gateway side
    BRIDGE (br0) - WAN and VOIP interfaces are assigned to the bridge; type is set to none; all the rest is default

    net.link.bridge.pfil_bridge is set to 1
    NAT is on and I'd like to have it for local users and local servers
    there is Automatic outbound NAT rule generation (for IPsec automatic passthrough) - maybe this is my mistake?
    mappings for AON are:
    if      | source        | source port | dest | dest port | nat addr        | nat port          | static port
    WAN  | 10.0.2.0/24 |        *        |  *  |      *      |  WAN address |      *              |    NO
    WAN  | 127.0.0.0/8 |        *        |  *  |      *      |  WAN address | 1024 - 65535  |    NO

    I tried adding fw rules to allow every traffic on every interface, but it didn't works also (bridge is working on layer2, so I haven't hope that it'll help).

    When I ping voip ip gateway 214.11.67.217 tcpdump shows only arp requests going on one direction:
    12:52:07.111657 ARP, Request who-has 214.11.67.217 tell 214.11.67.218, length 46

    I think I'm on a right path but I don't understand few things:
    1. Should I disable nat and AON? If yes, why and how can I keep my previous configuration working?
    2. Should I add some static routes to ipsec?
    3. Should I change my WAN configuration and assign external IP 214.11.95.253 to bridge (I know that might be a stupid question ....)

    What else I can do to make it works?

    PS: I've searched forum and found some similar setups, but proposed hints didn't helped me. Sorry if I posted topic which was already, but I'm really interested if nat is my problem and what can i do to keep nat working on my wan interface.

    Thanks in advance for any kind of help.



  • I'm still stuck in the issue and understand that if there was no answer, probably similar issues were on the forum….
    However I digged into the posts and didn't find an answer for one question: is it possible to have typical scenario with WAN - nat - LAN and simultaneously public ip assigned to voip gateway behind the pfsense box?
    From what I've read I think I need transparent/bridged firewall, but i such scenario nat is disabled which I have to avoid.

    Or maybe there is other way to assign public ip to the voip gateway not losing nat between lan and wan interfaces?

    Please help, any clue will be helpful!


Locked