Transparent firewall problem



  • Hi, I'm using pfsense 1.2-release, trying to run in transparent firewall mode but I can't get it to pass any traffic.
    Here is my setup:  workstation -> pfsense -> router

    • OPT1 and WAN interfaces are bridged
    • filtering bridge is enabled
    • my firewall rules are wide open for testing (allow any->any on every interface)
    • traffic shaping is turned off
    • have tried disabling nat and using automatic nat

    Based on a packet trace, what appears to be happening is that arp packets aren't passing through the firewall.  I've tried pinging and telneting from the workstation to the router, but the router doesn't reply to my workstation's arps.  The pfsense firewall logs say that the outgoing traffic is allowed, but nothing comes back, neither allowed or denied.  When I put my workstation on the other (wan) side of the firewall, it works just fine.

    Any help would be much appreciated.
    Thanks
    Mike



  • Mike

    According nto the guidelines and from my own experience you need to have your lan and wan bridged for the transparent firewall to work. The link to the guidelines is http://pfsense.trendchiller.com/transparent_firewall.pdf . I am about to setup another firewall in that transparent configuration in a few minutes. Let me know if this helps

    –Ivan



  • Thanks for the reply.  I had actually followed the instructions in that document, but I didn't get it to work in transparent mode.  After a lot of struggling, I figured out the problem.  When you're using a Cisco switch, you may need to disable spanning tree messages on one of your bridged ports, using the following subinterface command:
      spanning-tree bpdufilter enable

    Basically this filters out any stp bpdu's that the port sees, preventing it from going into a "blocking" state once your bridge your LAN and WAN interfaces (or OPT and WAN as the case may be).  On your Cisco switch the problem will manifest itself with a solid amber amber LED on one of the bridged ports.  As soon as I issued the above command on one of the ports, transparent firewall mode magically started working.

    Mike



  • Check the packages forum…



  • @spookycave:

    Thanks for the reply.  I had actually followed the instructions in that document, but I didn't get it to work in transparent mode.  After a lot of struggling, I figured out the problem.  When you're using a Cisco switch, you may need to disable spanning tree messages on one of your bridged ports, using the following subinterface command:
      spanning-tree bpdufilter enable

    Basically this filters out any stp bpdu's that the port sees, preventing it from going into a "blocking" state once your bridge your LAN and WAN interfaces (or OPT and WAN as the case may be).  On your Cisco switch the problem will manifest itself with a solid amber amber LED on one of the bridged ports.  As soon as I issued the above command on one of the ports, transparent firewall mode magically started working.

    Mike

    Sorry for probably stupid question but would you need to set up transparent firewall if both LAN and WAN interfaces are located at the same vlan? How is firewall is supposed to work?


Log in to reply