Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switching from filtering bridge to filtering router, steps?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      foomanjee
      last edited by

      Alright, after last weekends debacle (http://forum.pfsense.org/index.php/topic,8864.0.html), I'm dropping the bridging configuration to routing.  I'll be controlling .1.

      From what I understand, all I'll need to do is set up CARP for .1 (servers gateway), and change my rules "Gateway" to go out the new CARP IP (.1), or do I even have to do that?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        I'm sorry but I don't find any details on your network in that other thread. Could you post a small ascii artwork of your network or a diagram? Are you using 1:1 NAT, portforward/outbound nat or no NAT at all?

        1 Reply Last reply Reply Quote 0
        • F
          foomanjee
          last edited by

          My apologies - figured it was enough.  I'm not doing NAT, as my servers are also on public IPs.  I'm currently just bridging the public class C with switches that my servers are on.  They're basically just transparent firewalls.

          Currently:

          -firewall1-
          uplink -> switch (.1) <        |        > - switches - servers
                                             -firewall2-

          What we're going to do be doing, is moving .1 from the Hosting companies switch to the firewalls.  So, they'll become filtering routers.  Nothing will need to change above, I just need to figure out how to smoothly get .1 onto the firewalls, and find out what other changes I need to make via pfsense

          Side note: I just realized I messed up the subject, heh.  Edited

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Ok, quick walkthrough (I hope I don't forget anything  ;) ):

            • Firewall1 and 2 will each need a seperate dedicated IP from the WAN and from the LAN subnet (no CARP, no failover).
            • The former .1 Switch IP will become the CARP VIP for both firewalls at Interface LAN. It will act as gateway for the servers and can be moved back and forth between the systems on failover.
            • You'll need the switches uplink IP to the world as CARP IP on WAN (and as stated already above additional to that the 2 dedicated real IPs for each machine)
            • To shut down NAT go to firewall>nat, outbound. Enable manual outbound nat and delete all the autocreated rules (it will create a lan to wan rule by default, just delete it).
            • The firewallrules will remain the way they have been. Don't use any gateways in there. Those are needed for policybased routing and multiwan only.
            • I won't go into details about syncsettings as I guess you have been using them successfully before with the other setup.

            Good luck  :)

            1 Reply Last reply Reply Quote 0
            • F
              foomanjee
              last edited by

              @hoba:

              Ok, quick walkthrough (I hope I don't forget anything  ;) ):

              • Firewall1 and 2 will each need a seperate dedicated IP from the WAN and from the LAN subnet (no CARP, no failover).
              • The former .1 Switch IP will become the CARP VIP for both firewalls at Interface LAN. It will act as gateway for the servers and can be moved back and forth between the systems on failover.
              • You'll need the switches uplink IP to the world as CARP IP on WAN (and as stated already above additional to that the 2 dedicated real IPs for each machine)
              • To shut down NAT go to firewall>nat, outbound. Enable manual outbound nat and delete all the autocreated rules (it will create a lan to wan rule by default, just delete it).
              • The firewallrules will remain the way they have been. Don't use any gateways in there. Those are needed for policybased routing and multiwan only.
              • I won't go into details about syncsettings as I guess you have been using them successfully before with the other setup.

              Good luck  :)

              Perfect, thanks!

              I figured all I had to do was disable 'filtering bridge', and add .1 as the CARP IP, but wanted to be sure.

              So, to be sure:
              My firewalls are already .254 and .253 on the WAN side, and a random private subnet on the LAN side (can that stay the same?)
              Then add of my class C as CARP on the LAN side?

              The hosting company should give me two more IPs (outside of my class c) as well, to use as the firewalls public IPs, correct?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                All IPs on the same interface (the real ones for each firewall as well as the virtual IP) have to be in the same subnet, so you can't use private IPs on the LAN-Interfaces if that .1-IP is a public one. It's the same on WAN. You'll need 3 IPs from the same subnet on WAN and on LAN. LAN and WAN have to be different subnets of course.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.