Transparent firewall using layer 3 bridges



  • Hello pfSense Community,

    I am seeking your advise on the proper approach and best practices to configure a pfSense router as a transparent firewall using layer 3 bridges.  I have limited networking experience; so any advise pfSense specific or just networking in general is greatly appreciated.

    I have searched the forums, various search engines, and read several recommended books seeking a clear answer to these questions.  I have not been able to locate a specific example / tutorial / build book to show this configuration.

    Summary
    Please consider the diagram in the link below.  It shows a high level network and information about logical interfaces, possible ip configurations, and desired firewall setup.

    • There is a physical LAN and a wireless LAN
    • Each LAN has two VLANS: 10 & 20
    • Need to bridge VLAN10 on the physical LAN to VLAN10 on the wireless LAN (bridge0)
    • And also, bridge VLAN20 on the physical LAN to VLAN20 on the wireless LAN (bridge1)
    • Broadcast traffic between physical and wireless is a key business requirement
    • Traffic will pass by default between physical and wireless within a respective VLAN  (rules #4,5,8,9)
    • Specific drop rules will be implemented to secure specific high security nodes (see #6,7 below)
    • Hoping to add a single rule to represent both physical and wireless traffic for inter-vlan rules (rules #1,2,3)

    IP Question
    (A) What is the proper way to setup the ip configuration?  Option 1? Option 2? Something else?

    Firewall Questions
    (B) The objective of rules #1,2,3 is to provide the same rule no matter if the traffic originates from the physical or wireless – is this the right way?
    (C) The solution must be able to log any traffic between physical and wireless LANs within the same VLAN / bridge.  Of course, traffic is only logged when a matching log rule is applied.  Does the recommendation from question A support this?  If so, does the rule get applied to the bridge interface or the two vlan interfaces?
    (D) In this scenario should a rule be applied to the bridge interface vs the vlan interface?
    (E) In this scenario should net.link.bridge.pfil_member be disabled?
    (F) In this scenario should net.link.bridge.pfil_bridge be enabled?

    Link to diagram (page #2): https://docs.google.com/file/d/0B3wsw62g3AvnaE14WTJBQUY1RDg/edit?usp=sharing