Transparent firewall with private subnet possible?



  • Hello everybody,

    I'm running PFSense 2.1.3 with 3 public IPs over a single WAN link, with transparent firewalling turned on. I access the servers via OpenVPN.

    The IP distribution is
    x.x.x.10 -> PFSense box
    x.x.x.11 -> Server 1
    x.x.x.12 -> Server 2

    Now, I have IPMI functionality on the 2 Supermicro servers that I would like to utilize. The IPMI sideband "shares" the same network interface, with a different MAC.

    I would like to assign private IP addresses to the IPMI cards to be accessible from OpenVPN.

    Assuming my IP range for OpenVPN is in the 10.10.10.x range with a gateway of 10.10.10.1, what is the most straight forward IP/gateway configuration for the IPMI cards to be accessible from OVPN?

    Thanks!



  • So the servers have public IP addresses, and the transparent firewall is just scanning packets across the bridged interfaces, yes?

    Do you access the servers via OpenVPN, or the firewall? If you access the firewall then you aren't running it in transparent mode, or you have a routed interface with a public IP.

    Are you using different VLAN's on these NICs to split up the traffic between the two networks?



  • Mike, thanks for your reply. That's right - PF and both the servers have public IPs, and PF is set up as a transparent firewall with bridging across the 3 interfaces.

    Sorry, I think I wasn't quite clear about the OpenVPN side of things. I access the servers via an OpenVPN server instance ON the PFSense box.
    Basically I have OpenVPN on the PF box create the static routes to the 2 server IPs, and route them viaOpenVPN. And static routes on the servers to route return traffic for 10.10.10.x through the PF gateway, instead of via the provider's gateway.

    I can connect directly to the servers via their public IPs for services that I specifically open on the firewall's WAN interface, of course. So to my understanding, I am running it in transparent mode. Please do correct me if i'm wrong.

    For the IPMI cards, I am free to choose to use a VLAN or not - at this point, it's not critical to use a VLAN as the IPMI interface is only for emergencies.

    If I have a couple more public IPs, I know I can assign those IPs to the IPMI cards, and I've tested that scenario as well. But I can't quite figure out how to route the traffic if I put the IPMI cards on a private subnet. As mentioned, they can sit on the 10.10.10.x OpenVPN subnet if that makes it easier, or on their own seperate subnet. But I've tried assigning the IPMI cards to a 10.10.10.X address with the PF gateway as their gateway address to no success.



  • How do you connect to the pf box via openvpn if it's running as a transparent firewall? You'd have to have an public IP address configured on it, yes?



  • Yep, I mentioned that in the first post actually that the PF box and the 2 servers all have public IPs.

    x.x.x.10 -> PFSense box
    x.x.x.11 -> Server 1
    x.x.x.12 -> Server 2



  • Ok so the public IP on the PF box is just a third interface that's not part of the bridge, yes?

    Forgive me I'm just trying to get a feel for your config.

    Can you post a screenshot of your interface, bridge, vlan (if applicable), and dashboard?

    Thanks! :)