Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Transparent firewall using layer 3 bridges

    Routing and Multi WAN
    1
    1
    1105
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nn10do last edited by

      Hello pfSense Community,

      I am seeking your advise on the proper approach and best practices to configure a pfSense router as a transparent firewall using layer 3 bridges.  I have limited networking experience; so any advise pfSense specific or just networking in general is greatly appreciated.

      I have searched the forums, various search engines, and read several recommended books seeking a clear answer to these questions.  I have not been able to locate a specific example / tutorial / build book to show this configuration.

      Summary
      Please consider the diagram in the link below.  It shows a high level network and information about logical interfaces, possible ip configurations, and desired firewall setup.

      • There is a physical LAN and a wireless LAN
      • Each LAN has two VLANS: 10 & 20
      • Need to bridge VLAN10 on the physical LAN to VLAN10 on the wireless LAN (bridge0)
      • And also, bridge VLAN20 on the physical LAN to VLAN20 on the wireless LAN (bridge1)
      • Broadcast traffic between physical and wireless is a key business requirement
      • Traffic will pass by default between physical and wireless within a respective VLAN  (rules #4,5,8,9)
      • Specific drop rules will be implemented to secure specific high security nodes (see #6,7 below)
      • Hoping to add a single rule to represent both physical and wireless traffic for inter-vlan rules (rules #1,2,3)

      IP Question
      (A) What is the proper way to setup the ip configuration?  Option 1? Option 2? Something else?

      Firewall Questions
      (B) The objective of rules #1,2,3 is to provide the same rule no matter if the traffic originates from the physical or wireless – is this the right way?
      (C) The solution must be able to log any traffic between physical and wireless LANs within the same VLAN / bridge.  Of course, traffic is only logged when a matching log rule is applied.  Does the recommendation from question A support this?  If so, does the rule get applied to the bridge interface or the two vlan interfaces?
      (D) In this scenario should a rule be applied to the bridge interface vs the vlan interface?
      (E) In this scenario should net.link.bridge.pfil_member be disabled?
      (F) In this scenario should net.link.bridge.pfil_bridge be enabled?

      Link to diagram (page #2): https://docs.google.com/file/d/0B3wsw62g3AvnaE14WTJBQUY1RDg/edit?usp=sharing

      1 Reply Last reply Reply Quote 0
      • First post
        Last post