Transparent bridge mode to DMZ, and NAT to private LAN, and Snort?
-
I've read back over all the information I can find, both here and elsewhere, and there appear to be mixed messages about what is or is not possible.
My intended configuration is as follows (I hope my ASCII art skills are up to it):
DMZ–-------------------|DMZ i/f:(bridged)
87.x.x.91-94 |
|
pfSense--------------------Router--------Internet
| Ext i/f: 87.x.x.90 87.x.x.89
|
Private-----------------|Private (NAT) i/f:192.168.0.1
192.168.0.0/24The 87.x.x.88/29 network is a public IP address range.
I realise that the requirement for a NATted private subnet as well as a bridged DMZ complicates things here but my understanding is that the NATted private subnet and the bridged DMZ are mutually compatible and feasible with pfSense 1.2. Is this correct?
And so the main question appears to be: Can Snort be made to work in this configuration? Some people say no, Snort won't work in transparent bridged mode, whereas others seem to have made it work. What is the latest correct information?
(Note 1: I notice that the Untangle firewall was suggested in a recent thread for getting Snort working on a bridging firewall but, unfortunately, Untangle appears to disable all NAT when in bridging mode whereas, as I mentioned above, I understand that pfSense can still NAT one subnet whilst bridging.)
(Note 2: Yes, it would be easier to use NAT for the DMZ too but it is a specific requirement that the DMZ servers be configured with public IP addreses. Similarly it would be easier if the private subnet was not needed but sadly it is a requirement).
Thanks in advance for any help or ideas about this.
MarkR
-
Well, I've got pfSense bridging the WAN to the DMZ whilst NATting the Private LAN. So far so good. I'm trying to get Snort working now.
I must say that pfSense is an excellent firewall; it is remarkably flexible and has a vast range of configuration options.
Well done!!