Transparent Firewalling



  • Hi all,

    I'm trying to buildt a transparent firewall between my wan and dedicated vlan (TF1 interface).
    That looks like that:

           |-------------|
    WAN ---|             |--- TF1
           |   pfSense   |
    Mgmt --|             |--- TF2
           |-------------|
    

    The WAN-Interface has an official (public) ip range and I'm trying to provide this range on the TF1 interface.
    So I created a bridge between my two interfaces TF1 and WAN (both without an own ip address). Then I've created the opt-interface to the bridge and to all the three interfaces any-2-any-rules.

    Now I try to ping the router (.1) on the wan side from the client on the tf1 side … no connection.
    I've installed a plain pfSense 2.2.3 ... the pfsense and the test clients are all vmware vms.
    There is only one interface with an ip-adress, the mgmt (management interface).

    Any idea where the problem could be?

    Thanks in advance,
    Kind regards,
    Reto



  • If more information is needed … please give me a hint.



  • So you have public internet on WAN side, and you also want to use public IP addresses on TF1 side, right? And firewall between them?



  • Check system,advanced,tunables. By default it filters on the interfaces, not the bridge. You need to adjust the two bridge sysctls.



  • @robi:

    So you have public internet on WAN side, and you also want to use public IP addresses on TF1 side, right? And firewall between them?

    That's correct.
    I've a \24 SubNet on the WAN side and I want to "split" this subnet in multiple parts without routing.  Filtering theyer traffic and shaping the bandwith.



  • @dotdash:

    Check system,advanced,tunables. By default it filters on the interfaces, not the bridge. You need to adjust the two bridge sysctls.

    I've set the net.link.bridge.pfil_bridge to 1 and the other two (net.link.bridge.pfil_onlyip / net.link.bridge.pfil_member) to the default value 0 and 1.



  • You don't want both, either filter on your bridge, or your member interfaces.

    Your original issue is likely in your VMware config. Where bridging, the port groups connected to the firewall must be in promiscuous mode in order for the traffic to even get to the firewall VM.