• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need help with "Enable filtering bridge" and howto create rules for bridge0 nic

Scheduled Pinned Locked Moved Firewalling
13 Posts 2 Posters 4.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    Guest
    last edited by Apr 30, 2008, 7:26 AM Apr 30, 2008, 6:35 AM

    i can get into lan(192.168.55.100) from dmz1(bridged with wan)just fine with a regular nat rule ext->lan

    however when i enable "Enable filtering bridge" it all stops

    i understand that i have to make some rules somewhere, but since there is´t a "bridge0" tab, where do i put the rules for bridged interfaces?

    I must be missing something but i havent found anything with search eather.

    EDIT1: i have enabled udp 161 on all interfaces in all directions just for testing(need to snmp 3com in the inside from wan) and still no good

    regards /Fredrik

    network-diagram2.jpg
    network-diagram2.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Apr 30, 2008, 4:02 PM

      Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on. It doesn't mater if this is a bridged interface, a natted or a routed interface. it's always this way. Can you show us the firewallrules that you created?

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by Apr 30, 2008, 4:25 PM

        Ok, tnx for the answer

        here is a screenshot of my dmz rule tab

        can this be any other then prb with rules, i meen when it works when i disable "Enable filterering bridge" so it doesent have anything to do with aot, is that a correct assumption?

        /F

        dmz-rules.JPG
        dmz-rules.JPG_thumb

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Apr 30, 2008, 4:47 PM

          Hm, looks valid to me. What dns servers are your hosts trying to access? What do you see in the firewallsystemlogs? Add the log flag to these pass rules before testing again.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by Apr 30, 2008, 5:44 PM Apr 30, 2008, 5:07 PM

            I dont see anything in the logs regarding snmp but if i run tcpdump i see the traffic comming into the external if

            I have no problem running snmpwalk fron a external box so there is something with my dmz config that is making the trb

            can i asume that it´s a fw rule problem or can something else cause this?

            EDIT1: here is a passing log of port 161
            04-30-2008 19:41:20 Local0.Info 192.168.55.1 Apr 30 19:41:23 pf: 18. 368293 rule 149/0(match): pass in on vlan4: (tos 0x0, ttl  64, id 58811, offset 0, flags [DF], proto: UDP (17), length: 67) 195.x.x.66.44331 > 90.x.x.170.161:  { SNMPv1 C=xxxxxxx { GetNextRequest(25) R=933039914 [|snmp] } }

            Where does it go?..it´s passing but not getting any response from snmp server
            /F

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Apr 30, 2008, 6:21 PM

              @hoba:

              Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on.

              If you want to access it from wan the rule has to go to the wan tab, not to the dmz tab.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by Apr 30, 2008, 8:12 PM

                @hoba:

                @hoba:

                Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on.

                If you want to access it from wan the rule has to go to the wan tab, not to the dmz tab.

                Yeah, that much i´m getting, i can get access to 3com switch on the internal net from a external box(with ruleset aplying to wan)

                But i cant for the life of it get snmp to the internal net from my dmz(with external ip adresses)

                I have tried everything(well almost)

                As i figured it i dont need nat rule to get from dmz -> internal, it should all be based on fw rules, is that correct?

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Apr 30, 2008, 9:14 PM

                  Actually your hosts with public IPs in the dmz will use the default gateway to reach the internal subnet at lan which is the wan gateway (your first hop of your ISP). This gateway doesn't know anything about your private lan subnet so the packages will be vanishing into thin air. Having the DNZ unbridged is not an option as it breaks routing between dmz and lan this way?

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by Apr 30, 2008, 9:17 PM

                    Hello again ;)..tired of me yet?

                    i´m using the ip of the wan interface on the pfsense, what i want is just a "normal" portforwarding into my 3com switch, like i said earlier it works like a charm from the outside but wont work from the dmz with external ip´s

                    ps did you get my pm ?

                    /F

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by May 1, 2008, 6:00 PM

                      Ok, still no go

                      I must be missing something obvius

                      1. Do i need to create portforward from dmz(bridged with wan 195.x.x.x) to my lan or should it be enuf with fw rules
                      2. Do i only need to create fw rules on the dmz tab?

                      /f

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by May 1, 2008, 8:19 PM

                        It would be much easier without the bridge. What's the reason for the public IPs in the DMZ that prevent you from using NAT?

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by May 1, 2008, 8:31 PM

                          well there is no more reason then i have a spare ip.

                          cant use 1:1 since the ip´s i have spare and the one on my pfsense is on seperate subnets(from what i dug up earlier wouldent work)

                          do i have any other way to go besides putting it on a 192.168.x.x address and pointing the domains to my pfsense ext ip?

                          EDIT1: i could ofcourse just put the box externally without the protection of pfsense..but what´s the fun in that ;)
                          /F

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by May 1, 2008, 8:38 PM

                            You can use virtual iPs for the additional IP and 1:1 or portforward/outbound nat it.

                            1 Reply Last reply Reply Quote 0
                            1 out of 13
                            • First post
                              1/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received