3 Interfaces in Bridged Mode?



  • Hello all,

    I am going to add a 3rd NIC to my pfSense box, which currently has 2 on-board devices in bridged mode.

    I would like to keep it in bridged mode and just add the new NIC to the bridge. Is this possible?

    Thanks!

    I'd like it to work like this:

    VLAN1 –-------- pfSense eth0 --------------- pfSense eth2 (WAN) ----> Upstream Provider
                                                                    /
    VLAN2 ---------- pfSense eth1 --------------/





  • @Perry:

    Please use search http://forum.pfsense.org/index.php?action=search key words 3 interface bridge = http://forum.pfsense.org/index.php/topic,5907.0.html

    Thanks.

    So since it's not possible to do this, how would you recommend I configure my pfSense box?

    All my servers currently have public IPs assigned to them right now. Would 1:1 NAT be best? Can I do 1:1 NAT for 25 public IP's or so?



  • I never did that (i kind of dont like bridges), but why dont you try to create 2 bridges?
    eth0 to eth2
    and
    eth1 to eth2

    I'm not sure if that works, but it's worth a try.

    You also could 1:1 NAT your 25 public IP's.
    But why waste ports with 1:1 NAT if you can just normally NAT forward the needed ports?



  • @GruensFroeschli:

    I never did that (i kind of dont like bridges), but why dont you try to create 2 bridges?
    eth0 to eth2
    and
    eth1 to eth2

    I'm not sure if that works, but it's worth a try.

    You also could 1:1 NAT your 25 public IP's.
    But why waste ports with 1:1 NAT if you can just normally NAT forward the needed ports?

    Thanks for the ideas! I'm not sure how much time I'll have to experiment, as this is a production pfSense box, but I like the idea of 2 bridges.

    We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.



  • @mevans336:

    We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.

    Why not?
    1:1 NAT doesnt do much else than normal NAT besides it forwards port 0-65535 instead of only the ports you specify.

    If it's because you dont want to handle multiple rules:
    You can create an port-alias for each server and just use this single port-alias in one forwarding rule.

    Then you have 25 normal NAT rules instead of 25 1:1 NAT rules.

    Except that you now forward only the ports you really need.
    –> You dont expose ports like 139,445, to the internet.



  • @GruensFroeschli:

    @mevans336:

    We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.

    Why not?
    1:1 NAT doesnt do much else than normal NAT besides it forwards port 0-65535 instead of only the ports you specify.

    If it's because you dont want to handle multiple rules:
    You can create an port-alias for each server and just use this single port-alias in one forwarding rule.

    Then you have 25 normal NAT rules instead of 25 1:1 NAT rules.

    Except that you now forward only the ports you really need.
    –> You dont expose ports like 139,445, to the internet.

    pfSense must have much stronger NAT capabilities than my old Zywall.

    Even with 1:1 NAT, the firewall doesn't allow ports 0-65535 through right? It only forwards those ports through NAT?



  • @mevans336:

    Even with 1:1 NAT, the firewall doesn't allow ports 0-65535 through right? It only forwards those ports through NAT?

    Yes. That's true.
    Even if you 1:1 NAT and you dont create a firewallrule that allows traffic, it will be blocked by the firewall.
    I might have exaggerated with saying you expose ports to the internet with 1:1 NAT.
    You have seperate rulesets for the Firewall and NAT.

    But it's still a better approach to have 2 ways of security.
    1: the firewall
    2: no defined destination for inbound unwanted traffic.


Log in to reply