Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filtering Bridge to OPT1: Non-primary IP addresses invisible to pfSense

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamullian
      last edited by

      Snapshot 10/5/07 embedded

      I'm using Filtering Bridge WAN to OPT1. (And NAT WAN to LAN)

      Everything works fine except that hosts on OPT1 with multiple IP addresses on a single Eth int (Windows 2000) have their "additional" IP addresses totally ignored by pfSense - which I presume is routing on Mac address only.

      I tried adding the additional IP addresses as a Virtual IP (tried on the LAN int and on the OPT1 int) to no avail. Messed with explicit rules. Considered a Static Route. Nothing worked - it's as if those addresses are totally invisible to pfS, no corresponding entries occur in the firewall log, no traffic is passed.

      Any workarounds?

      [In case I was not clear enough as to what I mean by additional IP addresses, I mean:

      Subnet is 209.xxx.xxx.184 /29
      pfS WAN IP is 209.xxx.xxx.190
      Host on OPT1 is 209.xxx.xxx.188 and that same interface has the additional IP of 209.xxx.xxx.186.
      209.xxx.xxx.188 is (with appropriate rules) pingable, fully filterable.
      209.xxx.xxx.186 is completely invisible, no bridge is ever established, nothing appears in logs]

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out.

        What do you mean by "totally ignored"? What are you trying to do that doesn't work?

        1 Reply Last reply Reply Quote 0
        • J
          jamullian
          last edited by

          @cmb:

          You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out.

          What do you mean by "totally ignored"? What are you trying to do that doesn't work?

          The VIP was only temporary in an attempt to make it work. Forget I ever mentioned it.

          Quite simply, I have no access whatsoever from the WAN to those IP addresses on the (Filtered Bridge) OPT1 interface that are not the primary IP address on the host's Ethernet interface. Rules to the primary IP work perfectly; no rules to additional IPs (pass or deny, port or any) have any effect whatsoever, nor is there any corresponding entry in the log. It's as if the IP addresses were totally invisible to pfS.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.