Bridge WAN to LAN



  • I need to set up a WAN to LAN bridge for a transparent firewall/snort. I was looking at the URL https://forum.pfsense.org/index.php/topic,20917.0.html which seems to be based primarily around WiFi etc. I am switching from Untangled to pfSense for the superior feature set but this particular feature seems not so obvious to set up. The server this is installed on has 4 NIC ports. The configuration needs to look like this:

    NIC1 -> WAN
    NIC2 -> LAN(WAN) (WAN filtered by FW/SNORT) - servers on this side use global IPs
    NIC3 -> LAN3 preferably accessible to a VPN USER A thru WAN
    NIC4 -> LAN4 preferably accessible to a VPN USER B thru WAN

    VPN USER C would have unfiltered access to the WAN.

    Perhaps its my lack of verbiage that I'm not finding anything specific via Google so I figured I'd ask under a new thread.

    Suggestions?



  • NIC1 -> WAN

    Configure as a WAN port like you need or are able to realize over PPPoE or with a static public IP address.

    NIC2 -> LAN(WAN) (WAN filtered by FW/SNORT) - servers on this side use global IPs

    Lets call it DMZ Port, behind this port usually the DMZ switch is standing connected with some or more
    servers with public Internet connection. Configure it as the DMZ port with matching rules for the
    WAN - DMZ and DMZ - LAN and vice versa. I suggest to use and go with 1:1 NAT and virtual IPs
    addresses (VIPs) and than set up the Snort on the WAN Port to filter and sniff all network traffic
    or set it up for the DMZ port that might be than only filtering and sniffing the WAN - DMZ traffic

    NIC3 -> LAN3 preferably accessible to a VPN USER A thru WAN

    This could be a VLAN or a own subnet with his own IP address range likes;
    a LAN Switch with VLAN support is connected:

    • VLAN10 - PCs - 192.168.3.0/24 (255.255.255.0)
      a LAN Switch without VLAN support is connected:
    • 192.168.3.0/24 (255.255.255.0)

    NIC4 -> LAN4 preferably accessible to a VPN USER B thru WAN

    a LAN Switch with VLAN support is connected:

    • VLAN20 - PCs - 192.168.4.0/24 (255.255.255.0)
      a LAN Switch without VLAN support is connected:
    • 192.168.4.0/24 (255.255.255.0)

    VPN USER C would have unfiltered access to the WAN.

    Set up and configure OpenVPN as the following:

    • 3 different OpenVPN IPs
      – the first one (A) gets a route only to the VLAN10 or for the whole subnet (CIDR) 192.168.3.0/24
      -- the second one (B) gets a route only to the VLAN20 or for the whole subnet (CIDR) 192.168.4.0/24
      -- the third one (C) gets full access to the entire LAN, all subnets (CIDR) I mean or all VLANs handled
      by rules or routes.

Log in to reply