Another filtering bridge thread…



  • I am running into the EXACT same behavior as described in this retired thread:

    https://forum.pfsense.org/index.php?topic=82851.15

    I have found many "how to" guides-many of them "get 'er done", but don't really explain much, or in my case even really match my intended goals.

    I am trying to create a bridge between WAN1 and DMZ1 for the purpose of placing devices with public IPs behind the pfsense box.

    I got the bridge working fine-where I am getting tripped up is the actual firewall logic as it applies to the bridge…

    My sysctls are at defaults (many guides suggest changing those values, but I WAN'T the default behavior...filtering at the member level, NOT the bridge level).

    i have tried setting the ip address on the BRIDGE interface (as I have seen recommended in BSD docs), and have also tried to set it on the WAN interface instead.

    Here is a cut/past from the linked thread which seems to explain the operation or the problem best:

    "So it appears as though cross-bridge traffic (e.g. TEST1 to TEST2) get handled by the rules for the ingress member port, whereas traffic from a bridge-port to an external device (e.g. the Internet) gets filtered by the bridge rules."

    So if anyone REALLY understands how to properly filter the traffic at the member level, NOT the bridge level, I'd love to hear it!!!

    Thanks,

    -Alan

    PS  The hardware is a pfsense store bought C2758 with a 4 port expansion card.  This is my first go at pfsense (after trying in a vm under virtualbox).  Final setup will be multi-wan (done) 4 separate NAT'd LANS (done), and 2 DMZ bridges (one attached to each WAN).



  • Bump.

    Anyone?  Bueller…

    There has got to be a way of making this work...

    Is this a bug?

    Give you an example:  According to the docs, the sysctls are at default:  To filter at the INTERFACE members, NOT the bridge...

    Yet in my testing I see LEGITIMATE incoming traffic dropped by the firewall-the reason-pfsense thought that traffic was sourced on the BRIDGE interface.  Of course I don't have any firewall rules on the bridge interface because according to the way I think I understand it, with the sysctls at defaults, I shouldn't have to!

    -Alan



  • I am trying to create a bridge between WAN1 and DMZ1 for the purpose of placing devices with public IPs behind the pfsense box.

    Puh, this is the third thread this week we are talking about this ugly thing such as bridging
    as today switches are really cheap to buy for every one also for home users they are reachable!

    In normal you will be setting up a WAN Port, LAN Port and a DMZ Port.
    To the WAN port you will be connecting a modem and to the LAN and DMZ Port
    you will be able to connect a Switch.

    Best solution in my eyes:

    • DMZ Switch Layer2

    • No VLANs in the DMZ

    • LAN Switch Layer3

    • Setting up VLANs

    The golden rule: "Route if you can and bridge if you really must!"

    With bridges you will get often later or earlier in the following traps;

    • Port lacking
    • Link collapse
    • Port flapping
    • Packets dropping
    • Port becomes unstable

    If you have a WiFi adapter and you must bridge him to a LAN Port, it would be ok.
    If you want to bridge WAN to LAN port or DMZ Port it is not ok!!

    Then better setting up DMZ and LAN switches and use the DMZ and LAN ports as they are.

    i have tried setting the ip address on the BRIDGE interface (as I have seen recommended in BSD docs), and have also tried to set it on the WAN interface instead.

    In normal you will be able to set up your public IP addresses at the pfSense box and local
    private IPs at the DMZ servers and then port forward them.

    i have tried setting the ip address on the BRIDGE interface (as I have seen recommended in BSD docs)

    It really kicks me in the direction that there must be some documents talking about bridges and this is
    a totally other meant, don`t take me wrong, dude but you are really the third who is asking about bridges!
    Can you provide a Link to this BSD Doc´s, that we are able to have a deeper or closer look to them?



  • Firebird-  I have a bridge setup for my server and the router has no IP address on it for such other than in the firewall rules.

    In my case- I have two IP addresses.  One is for my network and one is for my server.
    The pfsense box has a

    Modem Interface

    Server Interface

    Bridge assigned to both MODEM and SERVER

    (Plus some other interfaces such as LAN VOIP ect but not needed for this thread.)

    WAN uses the bridge as its interface.

    Firewall rules for the network occur on the WAN rules such as for my VOIP and webcam.

    Traffic pointed at the server are controlled by rules on the MODEM tab.

    pfSense box only has rules for Server IP and not interfaces assigned as such.

    edit- Damn spell check!



  • So question-

    Does your device behing your "DMZ" interface have a LAN or public IP address?



  • @BlueKobold:

    I am trying to create a bridge between WAN1 and DMZ1 for the purpose of placing devices with public IPs behind the pfsense box.

    Puh, this is the third thread this week we are talking about this ugly thing such as bridging
    as today switches are really cheap to buy for every one also for home users they are reachable!

    In normal you will be setting up a WAN Port, LAN Port and a DMZ Port.
    To the WAN port you will be connecting a modem and to the LAN and DMZ Port
    you will be able to connect a Switch.

    Best solution in my eyes:

    • DMZ Switch Layer2

    • No VLANs in the DMZ

    • LAN Switch Layer3

    • Setting up VLANs

    The golden rule: "Route if you can and bridge if you really must!"

    With bridges you will get often later or earlier in the following traps;

    • Port lacking
    • Link collapse
    • Port flapping
    • Packets dropping
    • Port becomes unstable

    If you have a WiFi adapter and you must bridge him to a LAN Port, it would be ok.
    If you want to bridge WAN to LAN port or DMZ Port it is not ok!!

    Then better setting up DMZ and LAN switches and use the DMZ and LAN ports as they are.

    i have tried setting the ip address on the BRIDGE interface (as I have seen recommended in BSD docs), and have also tried to set it on the WAN interface instead.

    In normal you will be able to set up your public IP addresses at the pfSense box and local
    private IPs at the DMZ servers and then port forward them.

    i have tried setting the ip address on the BRIDGE interface (as I have seen recommended in BSD docs)

    It really kicks me in the direction that there must be some documents talking about bridges and this is
    a totally other meant, don`t take me wrong, dude but you are really the third who is asking about bridges!
    Can you provide a Link to this BSD Doc´s, that we are able to have a deeper or closer look to them?

    -EDIT-

    I know switches are cheap.  But it does NOT help my intended goal.  Let me state my goal, and see if there is a better way of accomplishing what I am trying to do (which I am currently doing on my $400 router, but am CPU limited on it):

    I have 2 WANs-one is 50/50, the other is 50/10.

    On my 50/50 connection I have a /28 network.  On my 50/10 I have a /29.  So bottom line I have public IP addresses that are UTILIZED.

    My goal is to implement bandwidth management such that I have guaranteed bandwidth for certain devices; therefore I have to limit bandwidth of ALL devices, both public AND private.  The only way I can see doing that is by placing ALL devices both public and private BEHIND the device controlling the entire available bandwidth.  I had imagined pfsense was going to be my main point controlling my entire network.

    Placing switches in front of the pfsense box isn't going to help, as then pfsense has no way of controlling bandwidth to devices ahead of it.

    That is where I came up with the idea of bridging a WAN interface with a DMZ interface.  This way I can limit the bandwidth to devices with public IPs, as well as the class C networks on my 4 LANs.

    Follow?  This is NOT for a home setup.

    My setup:

    2 wans, 2 dmzs (bridged with the respective wans), and 4 natted lans.

    -Alan

    PS  Just throwing an additional 2cents worth.  I have seen a couple of the recent posts you were talking about where the use of bridges was discouraged.  I find that really odd since with IPv6 there is no need at ALL for NAT, and eventually all firewalls will essentially be transparent bridges.  I consider the use of 1:1 NAT a "hack", and not the proper way to handle public IP device security.  Public IP device security really needs to be handled at the firewall, and NOT NAT.  So again I ask:  Is there a way with pfsense to place devices with public IP addresses BEHIND it for the purpose of firewalling access and/or controlling bandwidth to those devices?



  • @FirebirdTN:

    PS  Just throwing an additional 2cents worth.  I have seen a couple of the recent posts you were talking about where the use of bridges was discouraged.

    There isn't anything inherently wrong with bridging. It can be an ugly design in some instances, but a DMZ bridged to WAN isn't bad in most cases. If your only public IPs are on your WAN subnet, that's your only option to get only public IPs directly assigned to hosts behind the firewall. It has potential routing and VPN complications if the hosts on the bridged network need to access something behind routed or NATed interfaces of the firewall, as they use the upstream ISP router as their gateway, which can't route back.

    @FirebirdTN:

    I find that really odd since with IPv6 there is no need at ALL for NAT, and eventually all firewalls will essentially be transparent bridges.

    Not true. With IPv6 you have a router, not a bridge. One subnet on WAN interconnecting you with your ISP, and a bigger subnet routed to your WAN IP for use internally.

    That's also the best way to handle public IPv4 IPs behind the firewall. Have a /29 or /30 between you and the ISP as an interconnect, and they route you a separate IP block which you can do with as you like. That's the standard in colocation datacenters, and something most business ISPs will accommodate for IPv4 (at least on fiber and other pricier connections, maybe not DSL or cable). With IPv6, that's the standard across the board. Only incompetent ISPs will try to do something different from that for v6.

    @FirebirdTN:

    So again I ask:  Is there a way with pfsense to place devices with public IP addresses BEHIND it for the purpose of firewalling access and/or controlling bandwidth to those devices?

    The same way you do with any router or firewall. Either you have a second public IP block routed to you, which you assign to an internal NIC (best case scenario), or you bridge. Or you can route a single public IP to a private IP and have both private and public IPs assigned to the internal host, but that gets a little ugly.



  • Re: the original problem, I recall one of the support guys talking about a similar sounding scenario this week but not sure what happened there, and I couldn't seem to find any ticket or chat history from you. If that was you, and it wasn't resolved, please PM me the ticket number or other info to dig it up and I'll make sure you're taken care of.



  • @FireBirdTN

    The only way I can see doing that is by placing ALL devices both public and private BEHIND the device controlling the entire available bandwidth.  I had imagined pfsense was going to be my main point controlling my entire network.

    Ok until this point all is OK for me and I can follow, because I was not speaking about other things!

    Placing switches in front of the pfsense box isn't going to help, as then pfsense has no way of controlling bandwidth to devices ahead of it.

    And up on this point I can´t follow you, sorry! Perhaps this is owed to the circumstance that my
    poor english language skills are not good enough! But I was never talking to you setting up Switches
    in front of the firewall (pfSense), once more again, never! Please watch the attached network draw.

    Follow?  This is NOT for a home setup.

    Yes I know this.

    PS  Just throwing an additional 2cents worth.  I have seen a couple of the recent posts you were talking about where the use of bridges was discouraged.

    Yes this is also right. Route if you can and bridge where you must.

    I consider the use of 1:1 NAT a "hack", and not the proper way to handle public IP device security

    If I set up the public IP addresses on the Servers inside of the DMZ and then anyone is "playing" with this
    IPs he is direct on the Server! "Fingers or hands on" the servers I mean, but if I set up the public IP
    addresses at the pfSense and do a port forward to the internal private IP addresses and then someone
    is "playing"with this public IP addresses, he is on the a so called security device, the firewall (pfSense)!
    And that  is an really important but opposite point of security in my eyes as I see it right.

    Public IP device security really needs to be handled at the firewall, and NOT NAT.

    Please don´t forget the firewall is doing SPI/NAT and on top passing firewall rules!
    Opening only the ports that are needed to access the offered service from the servers in the DMZ
    followed by firewall rules handle the only traffic on top of this and IDS/IPS or DPI inspecting
    all traffic coming through that opened and forwarded ports through something like a Proxy
    server such Squid or ngix is, would be my way to handle this traffic passing from the WAN
    to the DMZ. If this is nonsense or kids stuff, fool alike or stupid please tell me and enlighten
    me please. I have not point of no return or turn around and nothing to defend!

    All in all, I have no pint of view that must be standing still or must be defended by me, I will be
    able and it is also beloved by me, if someone is enlightening me, by an example it would be good
    to learn new things, perhaps this or other things in the same meaning or direction should or must
    be done straight using pfSense, but then on another meaning please.

    Otherwise you can do and construct what ever you want, I was in the meaning to help you
    and prevent you by going perhaps in a wrong direction. I don´t want to press you or others
    to do something! Please accept this.

    @cmb
    At the new boards sorted with the Intel Amtom C2x58 SoCs are often some GB LAN Ports
    that comes with an function that is called or named a "bypass" option. That option can be
    mostly enabled or disabled in the BIOS of the boards in the LAN menu! Often this are
    Intel Ports named, I210-T1, Intel I350-t2 and Intel I354AM that comes with this functions.
    Is there something that pfSense can profit or benefit from this given options or offered functions,
    as we are talking here about bridges and bridged together LAN ports?

    So I really mean, done in hardware and can be used by software is not the same as only be
    done in software? Is this right? Please correct me if I am wrong with this.




  • @cmb:

    @FirebirdTN:

    So again I ask:  Is there a way with pfsense to place devices with public IP addresses BEHIND it for the purpose of firewalling access and/or controlling bandwidth to those devices?

    The same way you do with any router or firewall. Either you have a second public IP block routed to you, which you assign to an internal NIC (best case scenario), or you bridge. Or you can route a single public IP to a private IP and have both private and public IPs assigned to the internal host, but that gets a little ugly.

    Thank you for this!

    Before I proceed any further, I will see if I can have one of our ISPs convert our /28 into a single /30 and a second routed subnet for my public devices.  That particular ISP is delivering fiber to us.  My other ISP is a cable provider, so they won't I am almost positive.  Luckily although I have two "DMZs" set up (one for each ISP public IPs), only the fiber is actually utilized.  I don't know if this is doable, but I will try.  This would solve a lot of my headaches.

    -Alan



  • @cmb:

    That's also the best way to handle public IPv4 IPs behind the firewall. Have a /29 or /30 between you and the ISP as an interconnect, and they route you a separate IP block which you can do with as you like. That's the standard in colocation datacenters, and something most business ISPs will accommodate for IPv4...

    Quick question-This is new territory for me, as up until now I have only had to deal with setting up "NAT" routers…

    Do you have a "quick and dirty" article you can link to?

    Bottom line is now that I take everything into consideration, I would MUCH rather do this than bridging.  However, when I tried to explain to my ISP what it is I was wanting, they acted like I was asking for something they had never heard of...I am sure it would have been much easier if I had asked them in the form of proper terminology, but it is what it is.  I just told them I wanted two subnets-a /30 for my box, and a separate /28 routed to me.  They could not wrap their head around it...What should I have asked for?

    I have seen another thread about bridging as well, and I am in the same boat as the poster of that thread-my ISP provides their own router, which I do not have access to, and routes me the /28.  In essence if I could replace their box with mine, I could accomplish this task without wasting an IP on yet another (needless from my perspective) router...But I understand why they want it there-so they can monitor their circuit.

    Thanks,

    -Alan



  • Well, just in case anyone is following…..

    I removed my ISP's router, and plugged in pfsense box, and configured the WAN with the /30 the ISP used for their router, and configured my LAN for the /28 they deliver to us.

    This works MUCH MUCH better than bridging, and config wasn't bad at all.  Just had to enable outbound manual NAT and remove the entries relating to DMZ1.

    The only problem I have now is...without their router in place, I get nowhere NEAR the speed I am supposed to get.  And this isn't a pfsense issue.  If I hook my laptop up IN PLACE of their router, I get low speed.  If I hook it up BEHIND their router, I get advertised speed.

    Of course I did all this without the ISP's blessing, so now I am working with our account rep to see if they will accommodate me.

    -Alan

    ![public pic.JPG](/public/imported_attachments/1/public pic.JPG)
    ![public pic.JPG_thumb](/public/imported_attachments/1/public pic.JPG_thumb)



  • @FirebirdTN:

    The only problem I have now is…without their router in place, I get nowhere NEAR the speed I am supposed to get.  And this isn't a pfsense issue.  If I hook my laptop up IN PLACE of their router, I get low speed.  If I hook it up BEHIND their router, I get advertised speed.

    Double check the speed/duplex settings. Sometimes the equipment needs to be hard set to match.



  • @FirebirdTN:

    @cmb:

    That's also the best way to handle public IPv4 IPs behind the firewall. Have a /29 or /30 between you and the ISP as an interconnect, and they route you a separate IP block which you can do with as you like. That's the standard in colocation datacenters, and something most business ISPs will accommodate for IPv4...

    Quick question-This is new territory for me, as up until now I have only had to deal with setting up "NAT" routers…

    Do you have a "quick and dirty" article you can link to?

    Bottom line is now that I take everything into consideration, I would MUCH rather do this than bridging.  However, when I tried to explain to my ISP what it is I was wanting, they acted like I was asking for something they had never heard of...I am sure it would have been much easier if I had asked them in the form of proper terminology, but it is what it is.  I just told them I wanted two subnets-a /30 for my box, and a separate /28 routed to me.  They could not wrap their head around it...What should I have asked for?

    That should have sufficed. Guessing it's a small ISP, or you didn't get to the right people. Usually big ISPs, unless you happen to get the wrong person, will know exactly what you're talking about. Smaller ones, sometimes not so much. There is a description and diagram of that scenario in the book under "Small WAN IP subnet with larger LAN IP subnet", which should help you explain it to them.

    Though sounds like you have a workaround in having removed their router entirely. Likely the performance issue is they force speed and duplex on their WAN-side port. Set your WAN accordingly (100 full if it's 100 Mb CPE) to match, and you should be in good shape.



  • @dotdash:

    @FirebirdTN:

    The only problem I have now is…without their router in place, I get nowhere NEAR the speed I am supposed to get.  And this isn't a pfsense issue.  If I hook my laptop up IN PLACE of their router, I get low speed.  If I hook it up BEHIND their router, I get advertised speed.

    Double check the speed/duplex settings. Sometimes the equipment needs to be hard set to match.

    BINGO!

    That did the trick!  All is well…so long as my ISP doesn't complain I removed their router...

    I know they "ping" it, and when they detect an issue with the circuit being down, they call us (I guess that is the definition of "managed internet" LOL?).

    I have allowed my pfsense box to be pinged, so as long as they don't somehow look for their SPECIFIC router, I should be good.

    -Alan



  • Allow ping and that should suffice for their monitoring.

    They're not managing it very well if they haven't noticed it's completely gone. :) Apparently just pinging it.



  • I have allowed my pfsense box to be pinged, so as long as they don't somehow look for their SPECIFIC router, I should be good.

    And if they are calling you otherwise they perhaps where monitoring the MAC address of their router.
    Perhaps you are able to change the MAC address from their WAN interface to your WAN interface.


Log in to reply