PfSense in "drop in mode"



  • Sorry - this is a newbie question.  I have searched the forums but maybe the question is too basic…

    I'm looking to replace a Watchguard firebox with pfSense.

    The current Watchguard is configured in what they call "drop in mode".  Watchguard describe this as "Drop-in mode means the customer has one network, and the Firebox stands between their network and the router to the Internet. Drop-in mode also means that the Firebox, router, and private network share the same address range."

    e.g.
    Router has IP address x.x.x.1

    Firewall has IP address x.x.x.2 and gateway x.x.x.1

    Servers have IPs like x.x.x.21, x.x.x22, x.x.x.23,  etc, etc.
    Servers all have gateway of x.x.x.1 (i.e. the router and not the firewall)

    Can pfSense work in this way?
    Is there any pointers on how to install and set-up in this way?

    Thanks


  • Netgate Administrator

    This is known as a 'transparent firewall' outside of Watchguard world.
    It's a more complex setup, certainly much more complex than Watchguard's just press the drop-in mode button.

    Basically you bridge the WAN and LAN interfaces so that all packets get passed between them (subject to firewall rules) and they're in the same subnet. You assign only one interface to have an IP it can be any of them, WAN LAN or bridge. Commonly you would choose the WAN interface as that is the first to be assigned at initial setup.

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3F

    Are you installing pfSense on the Watchguard box?

    Steve



  • Thanks for the reply.

    "Transparent firewall" - that would explain my lack of results when googling "drop in mode" - good to know - thank you.

    The watchguard is in use, so I'm looking to swap it with another box when the other box is set up and ready (about 20 live servers).

    I have either another spare watchguard box (x550e) or a spare server I can use.
    I was thinking of using the server (a HP DL360 G5) as the hardware is better than the old watchguard?

    So I can set up just the WAN (x.x.x.2) on the set-up and then bridge the two interfaces so the LAN side will quite happily the same subnet without having to renumber or change gateways on the servers. Is it obvious on the set up to create the bridge?

    Now I know that pfSense will support this I guess I'll dive in and give it a go.
    Thanks


  • Netgate Administrator

    The DL360 is far more powerful than the X550e. Perhaps it's more powerful than you need? It would certainly cost more to run.

    This is the sort of setup I would expect to possibly get locked out of whilst setting up.  ;)
    At the in initial interface setup at the console after installing assign only the WAN interface, give it an appropriate IP or use DHCP etc. Just return past the LAN interface assignment question. Now finish the install and you should have access to the webgui from the WAN side which may be inconvenient depending on what you have upstream. When it has only one interface assigned pfSense will allow webgui access via the WAN by default but as soon as you add another interface it will start running as a firewall and block everything on WAN by default. It's easy to get locked out!
    In the webgui add a temporary firewall rule on the WAN (the default rule there will move to LAN when you assign it) interface to prevent getting locked out. If you do get locked out you can disable the firewall entirely from the console:
    https://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

    Now click the '+' on the Interfaces: Assign: page to add the LAN. Assign it as type 'none'.
    Now bridge them by going to Interfaces: Assign: Bridges: and adding a new bridge. Add the WAN and LAN to the bridge.

    You should now be able to access the webgui from the LAN side. Disable or remove the firewall rule you put in on WAN.

    Add firewall rules to taste.

    Steve



  • Thanks for your help.
    That seemed to work out!

    Something weird happened with getting traffic out.  Everything was being blocked despite adding a rule to allow all outgoing traffic on all protocols and ports.  I allowed traffic using a few auto rules from the firewall log and it came to life.
    Either that's something to do with the transparent mode or something I did weird but I'm sure I double checked that rule.

    Anyway, looks good - so thank you!


  • Netgate Administrator

    Something I hadn't considered is that the default LAN rule that usually allows all traffic out has 'LAN net' as its source address. In this situation though the LAN has no subnet so it will never match. That may be what caught you out. You could simply specify the subnet manually there instead.
    Hmm, perhaps a good reason to use the LAN as the one interface with an IP. Though the same would then apply to the WAN rules and it makes the setup more complex.  :-\

    Steve



  • Ah, of course, that would explain the rules.
    I'll just use the IP addresses and ranges rather than the pre-defined options.

    Thanks again!