Need help with "Enable filtering bridge" and howto create rules for bridge0 nic

Guest · Apr 30, 2008, 7:26 AM

i can get into lan(192.168.55.100) from dmz1(bridged with wan)just fine with a regular nat rule ext->lan

however when i enable "Enable filtering bridge" it all stops

i understand that i have to make some rules somewhere, but since there is´t a "bridge0" tab, where do i put the rules for bridged interfaces?

I must be missing something but i havent found anything with search eather.

EDIT1: i have enabled udp 161 on all interfaces in all directions just for testing(need to snmp 3com in the inside from wan) and still no good

regards /Fredrik

hoba · Apr 30, 2008, 4:02 PM

Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on. It doesn't mater if this is a bridged interface, a natted or a routed interface. it's always this way. Can you show us the firewallrules that you created?

Guest · Apr 30, 2008, 4:25 PM

Ok, tnx for the answer

here is a screenshot of my dmz rule tab

can this be any other then prb with rules, i meen when it works when i disable "Enable filterering bridge" so it doesent have anything to do with aot, is that a correct assumption?

/F

hoba · Apr 30, 2008, 4:47 PM

Hm, looks valid to me. What dns servers are your hosts trying to access? What do you see in the firewallsystemlogs? Add the log flag to these pass rules before testing again.

Guest · Apr 30, 2008, 5:44 PM

I dont see anything in the logs regarding snmp but if i run tcpdump i see the traffic comming into the external if

I have no problem running snmpwalk fron a external box so there is something with my dmz config that is making the trb

can i asume that it´s a fw rule problem or can something else cause this?

EDIT1: here is a passing log of port 161
04-30-2008 19:41:20 Local0.Info 192.168.55.1 Apr 30 19:41:23 pf: 18. 368293 rule 149/0(match): pass in on vlan4: (tos 0x0, ttl 64, id 58811, offset 0, flags [DF], proto: UDP (17), length: 67) 195.x.x.66.44331 > 90.x.x.170.161: { SNMPv1 C=xxxxxxx { GetNextRequest(25) R=933039914 [|snmp] } }

Where does it go?..it´s passing but not getting any response from snmp server
/F

hoba · Apr 30, 2008, 6:21 PM

@hoba:

Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on.

If you want to access it from wan the rule has to go to the wan tab, not to the dmz tab.

Guest · Apr 30, 2008, 8:12 PM

@hoba:

@hoba:

Rules are always applied to the incoming traffic, so for traffic going from dmz to anywhere the rules have to be on the dmz tab, for lan to anywhere on the lan tab and so on.

If you want to access it from wan the rule has to go to the wan tab, not to the dmz tab.

Yeah, that much i´m getting, i can get access to 3com switch on the internal net from a external box(with ruleset aplying to wan)

But i cant for the life of it get snmp to the internal net from my dmz(with external ip adresses)

I have tried everything(well almost)

As i figured it i dont need nat rule to get from dmz -> internal, it should all be based on fw rules, is that correct?

hoba · Apr 30, 2008, 9:14 PM

Actually your hosts with public IPs in the dmz will use the default gateway to reach the internal subnet at lan which is the wan gateway (your first hop of your ISP). This gateway doesn't know anything about your private lan subnet so the packages will be vanishing into thin air. Having the DNZ unbridged is not an option as it breaks routing between dmz and lan this way?

Guest · Apr 30, 2008, 9:17 PM

Hello again ;)..tired of me yet?

i´m using the ip of the wan interface on the pfsense, what i want is just a "normal" portforwarding into my 3com switch, like i said earlier it works like a charm from the outside but wont work from the dmz with external ip´s

ps did you get my pm ?

/F

Guest · May 1, 2008, 6:00 PM

Ok, still no go

I must be missing something obvius

Do i need to create portforward from dmz(bridged with wan 195.x.x.x) to my lan or should it be enuf with fw rules
Do i only need to create fw rules on the dmz tab?

/f

hoba · May 1, 2008, 8:19 PM

It would be much easier without the bridge. What's the reason for the public IPs in the DMZ that prevent you from using NAT?

Guest · May 1, 2008, 8:31 PM

well there is no more reason then i have a spare ip.

cant use 1:1 since the ip´s i have spare and the one on my pfsense is on seperate subnets(from what i dug up earlier wouldent work)

do i have any other way to go besides putting it on a 192.168.x.x address and pointing the domains to my pfsense ext ip?

EDIT1: i could ofcourse just put the box externally without the protection of pfsense..but what´s the fun in that ;)
/F

hoba · May 1, 2008, 8:38 PM

You can use virtual iPs for the additional IP and 1:1 or portforward/outbound nat it.