gomap last edited by
i want to setup pfsense as a transparent firewall. i need to make it act like a switch but to filter traffic. so far i followed what i will write down but windows says it cannot resolve dns.
2.a. Upon completing a fresh installation of pfSense a restart will be required. After the first reboot you will be greeted with “Do you want to set up VLANs now [y|n]?” Select “No”.
b. Next you will be requested to select your WAN interface or select ‘a’ for auto detection. Select your desired WAN interface card from the list. Next you will be asked to select your LAN interface card. Press “Enter”, we will configure this interface later.
c. At the welcome screen only setup the WAN interface. Assign this adapter a static address or use the assigned DHCP address; we will use this address to configure the firewall from this point on.
3. pfSense GUI Login
a. Open a browser window and enter the IP address assigned to the pfSense WAN interface. The default username and password are admin and pfsense.
4. Firewall – WAN - Anti-Lockout Rule
a. First, let’s be sure not to get locked out of the WAN interface by setting up our own temporary “anti-lockout” rule. Navigate to “Firewall” -> “Rules”. By default the “Anti-Lockout” rule is applied to the WAN interface as seen below. As soon as the LAN interface is enabled this “Anti-Lockout” rule will be migrated automatically to the LAN interface.
b. To create a new rule, select the ‘+’ on the bottom right-hand corner. This will take you to the Rules: Edit page.
In the “Rules: Edit” create a rule that resembles the screen shot below. The rule below will allow all traffic to access the WAN interface. Keep in mind this is a temporary rule. Select “Save” and then “Apply Changes”.
5. Configure WAN Interface
a. Navigate to “Interfaces” -> “WAN” and scroll down to “Static IP configuration”. In the “Gateway” field select “add a new one” and enter your Gateway.
b. Navigate to “System” -> “General Setup”; add your hostname, Domain and DNS Servers. To the right of your DNS servers select your Gateway from the dropdown menus.
6. Enable and Configure LAN Interface
a. Navigate to “Interfaces” -> “(assign)”. Select the ‘+’ and then select your “LAN” interface. Now select “Save” and then “Apply Changes”.
Navigate to “Interfaces” -> “LAN”. In General configuration check the “Enable Interface” box. The screen will auto populate. Be sure that Type is set to “None”. “Save” and “Apply Changes”.
7. Enable and Configure the Bridge
a. Now that our LAN and WAN interfaces are enabled and configured we can create the Bridge. Navigate to “Interfaces -> (assign)” from the menu and then select the “Bridges” tab to the far right. Select the ‘+’ to navigate to “Bridge:Edit”.
b. In “Bridge: Edit” hold the “Ctrl” key on your keyboard and select the “WAN” and “LAN” so they are both highlighted. Assign your Bridge a name in the “Description” field. Select “Save” and then “Apply Changes”.
c. Navigate to “Interfaces” -> “OPT1”. In General configuration check the “Enable Interface” box. The screen will auto populate. You can also change the interface description at this point, I have changed mine from “OPT1” to “Bridge”. Be sure that Type is set to “None”. “Save” and “Apply Changes”.
8. Enable the Filtering Bridge
a. In the menu navigate to “System -> Advanced” and select the “System Tunables” tab.
b. Locate the “net.link.bridge.pfil_bridge” in the “Tunable Name” column and double-click it.
c. In the “Value” field change this from “Default” to “1”. Select “Save” and “Apply Changes”.
9. Enable Manual outbound NAT rule generation (AON – Advanced Outbound NAT)
a. From the menu select “Firewall -> NAT” and the “Outbound” tab.
b. Click “Manual outbound NAT rule generation (AON – Advanced Outbound NAT)” and select “Save”. Delete any rules that auto-populate in the mappings area.
10. Configure Hostname, Domain, DNS servers, Time zone, and NTP time server.
a. From the menu select “System” -> “General Setup”.
b. Most fields can be left default but be sure to configure your DNS server and NTP time server.
11. Reboot pfSense Firewall
a. In order to fully apply all changes reboot your pfSense firewall by going to “Diagnostics -> Reboot”. In this menu select “Yes”.
12. Restrict Access to the Management Interface
a. This documentation was taken from doc.pfsens.org, I found it to be very helpful. I configured the access restrictions on the LAN and WAN interfaces.
If you use a restrictive ruleset on your LAN, make sure it permits access to the web interface before continuing.
Now disable the anti-lockout rule by going to the System -> Advanced page and checking the "Disable webGUI anti-lockout rule" box. Click Save and the rule will be removed.
Now I suggest adding a network alias for management access, and if you use both web and SSH administration, add an alias for those ports.
Now add a firewall rule allowing the sources defined in your management alias to the destination LAN address, with the port used or alias created for those using multiple ports. Make sure this rule comes first in the list. Then add a rule based on that rule (the + next to the rule), changing action to block or reject (I prefer reject on internal networks), source to any, and destination the same. When finished your ruleset should look like the following.
Apply your changes and your management interface is now restricted to only the defined hosts.
13. Overview and Understanding of the Transparent Bridge
I use the WAN as the management interface because I was unable to reach anything external, obtain updates or browse packages when the LAN or Bridge was configured as the management interface.
Treat the LAN and WAN interfaces as you would a standard firewall, keep in mind that the default action in the transparent bridge is to block all traffic unless explicitly allowed in the firewall. You will only need to setup rules on the LAN and WAN, I have yet to touch the Bridge.
Generally a standard firewall will allow the LAN to ANY by default; allowing anything on the LAN outbound. In this transparent bridge scenario you MUST create a rule to allow your LAN outbound. As stated above the default behavior of the transparent bridge is to block unless explicitly allowed.
after doing this i still cannot connect to the internet
gomap last edited by
i made it, now i want to test snort with transparent
pwood999 last edited by
I know this thread is old, but relevant to what I'm trying to do. I have followed this guide, as well as several others, but cannot get Client behind the bridge to connect to outside network.
I have tried using 3 interfaces with management LAN separate to the WAN-OPT1 bridge, plus a two interface setup with management via the WAN.
Northbound router is providing GW, DNS & DHCP for the clients behind bridge. I have Pass Any-Any rules plus Pass Port 67 & 68 on all interfaces.
TCPdump shows DHCP request & reply on both sides of the Bridge, but Windows-7 client behind bridge never completes DHCP. If I configure Static IP on the client, I can see ARP traffic etc, but even pings fail.
I have also tried setting various combinations of “net.link.bridge.pfil_bridge” and “net.link.bridge.pfil_member” to move the filtering from Interfaces to the Bridge & back again. Network is running on ESXI, so maybe there's a problem with the v-switch ?
Does anyone have a definitive bridge setup for 2.4.4 that works ?
Network looks like this:
Internet-Router <--> ESXi <--> PfSense Bridge <--> v-switch <--> Virtual Client PC.
pwood999 last edited by
Changed setup to a 2-Interface bridge, with Fixed IP on WAN side. The key change was to enable DHCP Relay, and then allow WAN to Pass UDP Port 67 & 68.
Now I can filter Inbound & Outbound in the same way as regular NAT Firewall mode.