3 Interfaces in Bridged Mode?
-
Hello all,
I am going to add a 3rd NIC to my pfSense box, which currently has 2 on-board devices in bridged mode.
I would like to keep it in bridged mode and just add the new NIC to the bridge. Is this possible?
Thanks!
I'd like it to work like this:
VLAN1 –-------- pfSense eth0 --------------- pfSense eth2 (WAN) ----> Upstream Provider
/
VLAN2 ---------- pfSense eth1 --------------/ -
Please use search http://forum.pfsense.org/index.php?action=search key words 3 interface bridge = http://forum.pfsense.org/index.php/topic,5907.0.html
-
Please use search http://forum.pfsense.org/index.php?action=search key words 3 interface bridge = http://forum.pfsense.org/index.php/topic,5907.0.html
Thanks.
So since it's not possible to do this, how would you recommend I configure my pfSense box?
All my servers currently have public IPs assigned to them right now. Would 1:1 NAT be best? Can I do 1:1 NAT for 25 public IP's or so?
-
I never did that (i kind of dont like bridges), but why dont you try to create 2 bridges?
eth0 to eth2
and
eth1 to eth2I'm not sure if that works, but it's worth a try.
You also could 1:1 NAT your 25 public IP's.
But why waste ports with 1:1 NAT if you can just normally NAT forward the needed ports? -
I never did that (i kind of dont like bridges), but why dont you try to create 2 bridges?
eth0 to eth2
and
eth1 to eth2I'm not sure if that works, but it's worth a try.
You also could 1:1 NAT your 25 public IP's.
But why waste ports with 1:1 NAT if you can just normally NAT forward the needed ports?Thanks for the ideas! I'm not sure how much time I'll have to experiment, as this is a production pfSense box, but I like the idea of 2 bridges.
We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.
-
We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.
Why not?
1:1 NAT doesnt do much else than normal NAT besides it forwards port 0-65535 instead of only the ports you specify.If it's because you dont want to handle multiple rules:
You can create an port-alias for each server and just use this single port-alias in one forwarding rule.Then you have 25 normal NAT rules instead of 25 1:1 NAT rules.
Except that you now forward only the ports you really need.
–> You dont expose ports like 139,445, to the internet. -
We have multiple HTTP, SMTP, FTP, VPN servers, so normal NAT doesn't work too well.
Why not?
1:1 NAT doesnt do much else than normal NAT besides it forwards port 0-65535 instead of only the ports you specify.If it's because you dont want to handle multiple rules:
You can create an port-alias for each server and just use this single port-alias in one forwarding rule.Then you have 25 normal NAT rules instead of 25 1:1 NAT rules.
Except that you now forward only the ports you really need.
–> You dont expose ports like 139,445, to the internet.pfSense must have much stronger NAT capabilities than my old Zywall.
Even with 1:1 NAT, the firewall doesn't allow ports 0-65535 through right? It only forwards those ports through NAT?
-
Even with 1:1 NAT, the firewall doesn't allow ports 0-65535 through right? It only forwards those ports through NAT?
Yes. That's true.
Even if you 1:1 NAT and you dont create a firewallrule that allows traffic, it will be blocked by the firewall.
I might have exaggerated with saying you expose ports to the internet with 1:1 NAT.
You have seperate rulesets for the Firewall and NAT.But it's still a better approach to have 2 ways of security.
1: the firewall
2: no defined destination for inbound unwanted traffic.