Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent Firewalling

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      crach
      last edited by

      Hi all,

      I'm trying to buildt a transparent firewall between my wan and dedicated vlan (TF1 interface).
      That looks like that:

             |-------------|
WAN ---|             |--- TF1
       |   pfSense   |
Mgmt --|             |--- TF2
       |-------------|

      The WAN-Interface has an official (public) ip range and I'm trying to provide this range on the TF1 interface.
      So I created a bridge between my two interfaces TF1 and WAN (both without an own ip address). Then I've created the opt-interface to the bridge and to all the three interfaces any-2-any-rules.

      Now I try to ping the router (.1) on the wan side from the client on the tf1 side … no connection.
      I've installed a plain pfSense 2.2.3 ... the pfsense and the test clients are all vmware vms.
      There is only one interface with an ip-adress, the mgmt (management interface).

      Any idea where the problem could be?

      Thanks in advance,
      Kind regards,
      Reto

      1 Reply Last reply Reply Quote 0
      • C Offline
        crach
        last edited by

        If more information is needed … please give me a hint.

        1 Reply Last reply Reply Quote 0
        • R Offline
          robi
          last edited by

          So you have public internet on WAN side, and you also want to use public IP addresses on TF1 side, right? And firewall between them?

          1 Reply Last reply Reply Quote 0
          • dotdashD Offline
            dotdash
            last edited by

            Check system,advanced,tunables. By default it filters on the interfaces, not the bridge. You need to adjust the two bridge sysctls.

            1 Reply Last reply Reply Quote 0
            • C Offline
              crach
              last edited by

              @robi:

              So you have public internet on WAN side, and you also want to use public IP addresses on TF1 side, right? And firewall between them?

              That's correct.
              I've a \24 SubNet on the WAN side and I want to "split" this subnet in multiple parts without routing.  Filtering theyer traffic and shaping the bandwith.

              1 Reply Last reply Reply Quote 0
              • C Offline
                crach
                last edited by

                @dotdash:

                Check system,advanced,tunables. By default it filters on the interfaces, not the bridge. You need to adjust the two bridge sysctls.

                I've set the net.link.bridge.pfil_bridge to 1 and the other two (net.link.bridge.pfil_onlyip / net.link.bridge.pfil_member) to the default value 0 and 1.

                1 Reply Last reply Reply Quote 0
                • C Offline
                  cmb
                  last edited by

                  You don't want both, either filter on your bridge, or your member interfaces.

                  Your original issue is likely in your VMware config. Where bridging, the port groups connected to the firewall must be in promiscuous mode in order for the traffic to even get to the firewall VM.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.