I know there are many forum topics on this subject so I apologise in advance if may questions have been answered previously.
Despite much research I have a few outstanding questions in regards to transparent firewalls with pfSense.
- I'm in a situation where I must use the ISP provided modem Router for Routing, Nat & DHCP
- I've got a SG-2440 (4 NICs) running pfSense 2.2.6
- Use pfSense as Transparent Firewall between ISP Provided Router and Network Switch
- NTP Service
- Block Certain internal Hosts from accessing outside IP's and Ports
I have had (some) success with the following 2 NIC setup on SG-2220:
- Bridge WAN and LAN
- Assign Bridge Interface and configure static IP
- Set net.link.bridge.pfil_bridge = 1
- Apply desired FW Rules against Bridge IF
- Use Bridge Interface IP for Management, OpenVPN, NTP Service
However, now I also have a SG-2440 (4 physical NICs) that also needs to be setup as Transparent FW. (Eliminating ISP Provided Modem/Router is not an Option)
Questions : (Pro's and Con's)
- Do I need to assign a Bridge Interface and why? (I know I need to do so if I only have 2 NICs e.g. SG-2220 for Management Purposes)
- Does any of the Bridge Members need an IP address assigned ? If So why ? I'd like to use a third NIC for Management and OpenVPN.
- What's the advantage of filtering against the Bridge Interface (net.link.bridge.pfil_bridge = 1) vs Member Interfaces ( net.link.bridge.pfil_member = 1) Why not use both/neither?
- Will Snort Work if neither Bridge nor Member Interfaces have IP address assigned?
- Is it OK to run OpenVPN on the Management Interface ( ISP provided Router -> port forward -> to pfSense Management Interface)?
- Does it make more sense to assign an IP to the Bridge Interface (or Member IF) and run OpenVPN on that IP ?
- Which Interfaces need to be Bridged ? In another forum I've read that I shouldn't bridge the LAN IF ?
Thanks in advance for suggestions.
Rephrasing my question(s), hoping to attract some replies….
( Router --> WAN & LAN Bridged --> Network Switch)
With a transparent firewall setup (WAN & LAN Bridged) would it make sense to run an OpenVPN Server Instance on the Management Interface (Opt1) - or should I assign an IP Address to one of the Bridge Members and run Open VPN there ? (e.g. Wan or Lan)
This would imply that the packet filter operates on Bridge Members ( net.link.bridge.pfil_member = 1)
Alternatively - would it be a better idea to assign an Interface and IP to Bridge0 and run OpenVPN on that?
This would imply that the packet filter operates on the Bridge Interface (net.link.bridge.pfil_bridge = 1)
If I also want run Snort on the transparent Firewall - which Interface should have an IP Address ? WAN , LAN or Bridge ?
Why can't you put the modem in bridge mode? Usually that is what is done. I do that on all my setups.
Thank you for your suggestion. I have tried that option but unfortunately that caused problems with our VOIP phones.
We're on a business plan which requires ISP provided Router and VOIP phones to be used - not only to receive support - but more importantly for the phones to work.
I'm not familar with all the technical details, but there are apoarently some tweaks in the custom firmware of the ISP provided Netgear Modem, which cannot be easily reproduced in BYO Hardware.
Essentially the ISP does this to avoid a support nghtmare.
If it was up to me I'd eliminate the ISP provided Router alltogether.
Well that does break thing down a bit more.
Unfortunately I don't know if there is a way to transparently bridge and still firewall the traffic.
Maybe look into the modem and see if there is a way to bridge a specific port?
Maybe use another modem specifically for internet traffic?
If you don't need to forward traffic you could just double NAT. Basically put the firewall up and let it use a designated IP by the modem and maintain your own network for internet traffic or do a 1:1 NAT which is listed under NAT.
I did find this in a quick search…
so apparently it's possible, I've never tried it.
Thanks again Visseroth.
I have configured my 2 NIC SG-2220 as described here:
Basically I've bridged WAN & LAN. Assigned an IP Adress to the Bridge Interface and specified a gateway.
An alternative 2 NIC setup is described by William Tarrh here:
He has used the WAN interface for Management and to obtain updates etc. ( see page 13 )
To throw in a third option it is possible on 4 NIC appliance (SG-2440) to Bridge WAN & LAN and run Management on the OPT1 Interface.
As you can see there are 3 (possibly more) options to set up a transparent FW.
I'd just like to understand why I should prefer one option over another?
Would I still be able to run SNORT on Bridge IF that does not have a IP Adress assigned ?
Would it make more sense to run OpenVPN on WAN or Bridge Interface ?
So I found a similar lack of current/relevant discussions on this myself. I have an XG-1540(4 ports) bridging lan<->wan. I chose this design as we currently have a cisco 4431 ISR configured to do the inter-vlan routing and NAT and I wanted as little disruption to our network as possible.
I was able to get snort working correctly on WAN (blocking in), LAN(blocking both), and Bridge0(blocking both) without the need to assign an IP address to any of the devices. I chose specific categories for WAN (mostly just ET drop lists and snort VRT drop list categories) but opted for an IPS policy of SECURITY for the Bridge and LAN.
I have since removed the LAN from snort interfaces as it was probably redundant though I did see some alerts from it that did not show on bridge and the reverse.
I did finally assign the bridge an IP address that falls within one of our /29 public address spaces so that I could configure unbound resolver which is necessary for DNSBL, but it was not required for snort to work.
To get this to work I have a public IP in the broadcast domain that the WAN interface of my ISR and gateway to our ISP reside. This works exceptionally well.
I currently have pfsense running the following:
- snort on wan and bridge
- pfblockerng with DNSBL enabled (listening on LAN) and several list feeds blocking advert networks (this rawks!) as well as other known baddies (CINS, spamhaus, blocklist.de, etc).
- squid proxy server (was unable to get this to work as transparent proxy so I opted for wpad.dat deployment via internal dhcp and dns)
- squidguard using the default blacklists.tgz
This is all still a work in progress.