WAN\DMZ Bridging ARP Issue



  • Hi All,
    We've taken over a network with a very old Linux installation running on some even older hardware, and I'm looking to migrate it to PFSense.

    The network setup is rather strange, it's configured as per the attached diagram

    ETH0 - WAN - public IP a.a.a.1/32 -> Cisco Router a.a.a.2/24
    ETH1 - DMZ - public IP a.a.a.1/24 -> Servers with a.a.a.a/24 public addresses
    ETH2 - LAN 192.168.0.0/23

    This allows LAN access to WAN and DMZ address, and internet clients access to the DMZ servers.

    PFSense will not allow you to have the same IP address on multiple NICs, so we configured a bridge with WAN/DMZ (a.a.a.1/24)

    This works temporarily, however after a few minutes the DMZ servers arp cache will start showing the WAN as the default gateway (a.a.a.1) instead of the DMZ arp.

    Setting a static ARP entry on the servers fixes this, but this will be troublesome to setup on 100+ servers.

    Can anyone think of a way of getting round this? I'm also confused as to how the /32 address works on the WAN interface, but that's a different matter!




  • if you bridge the WAN and the DMZ interfaces you're supposed to use the default gateway of the WAN network as the default gateway on the DMZ hosts. Also, do not assign any address on the DMZ interface, it's not needed and might even be harmful.

    You need to think the bridge as a switch that just happens to do IP level packet inspection and filtering as well.



  • Apologies, the diagram shows the existing iptables setup - both eth0/1 have the same address but different subnet masks.

    On creating the bridge in PFSense, we haven't assigned an IP address to the DMZ NIC.

    We are using the WAN address as the DMZ host's default gateway

    Edit : Maybe I should set the DMZ host's default gw to the Cisco box - let me try this



  • Hmm…that doesn't work for us as the DMZ clients aren't able to access the LAN hosts (due to no route back on the Cisco).

    I suppose this isn't a "real" DMZ, but hosts with a public address, filtered by the firewall - there are also dependancies like AD servers/DNS on the LAN

    Can anyone think of a way to stop the hosts getting the ARP address of the WAN interface, apart from a static ARP entry on each host?

    I realise this isn't really best practice, but the network has been built up this way over 10 years and I can't change all of the hosts due to external dependencies.



  • i though it was fixed…

    https://redmine.pfsense.org/issues/729
    (if_bridge unpredictable filter interface selection)

    but i'm running 2.2.1 now and the problem is stil NOT fixed in pf_bridge?!

    we also have to use the WAN ip as the gateway for DMZ hosts,
    does annyone have a solution for this?


Log in to reply