Transparent Firewall over Public Class C



  • Hi everybody,

    I have the followin project with a client:

    They need to add a firewall to your existing network (public class /24) and thought pfsense for it.
    I have experience setting pfsense but as usual (WAN / LAN / NAT), not in "bridge" mode as I think it would take to do this.

    They are connected to the Internet by a fibre line. The router connects to a network switch which then connects to all the servers and PCs her, have fixed IP addresses, but there is also a hidden wireless connection with DHCP for mobile devices. There is no NAT.

    Future:
    We would like help in setting up a boundary firewall server to go between the router and the network switch (Attached a diagram so they can see better).

    Its no posible to change to a WAN/LAN network.
    i preferred to leave server IPs alone, several of the servers will have routing information, whitelists, scripts, etc built in to them which reference the public IP and I wouldn't want to have to change all of these in addition to changing from public to private IP addresses.

    What is the best way to do this? you can configure pfsense on transparet mode on "WAN" network?

    I'm grateful if you can help me with this.

    Regards
    ![Firewall Current.JPG](/public/imported_attachments/1/Firewall Current.JPG)
    ![Firewall Current.JPG_thumb](/public/imported_attachments/1/Firewall Current.JPG_thumb)
    ![Firewall Future.JPG](/public/imported_attachments/1/Firewall Future.JPG)
    ![Firewall Future.JPG_thumb](/public/imported_attachments/1/Firewall Future.JPG_thumb)


  • Rebel Alliance Global Moderator

    So this current public /24 is routed to them via some transit network?  What is the router you have in the picture make and model.  It has a fiber card/sfp that plugs into it?

    Why could you not just replace this router with pfsense and do the same routing of their public /24 ?  Pfsense does not have to nat the connection if it really a routed /24 that they have.

    Is what your calling a router really just a modem and they just have a /24 in a leg of the isp..  Where is the gateway for this /24 is it an interface on the router - or is it at the isp?



  • Thanks for the reply johnpoz.

    @johnpoz:

    So this current public /24 is routed to them via some transit network?  What is the router you have in the picture make and model.  It has a fiber card/sfp that plugs into it?

    They are connected to the Internet by a fibre line connected to the router. The router connects to a network switch which then connects to all the servers and PCs here have fixed IP addresses. There is no NAT.
    I have no clear model of router, you'll get this

    @johnpoz:

    Why could you not just replace this router with pfsense and do the same routing of their public /24 ?  Pfsense does not have to nat the connection if it really a routed /24 that they have

    the customer is a little hard ;) not to want to change the current network model, just add a transparent firewall and can not have downtime.

    @johnpoz:

    Is what your calling a router really just a modem and they just have a /24 in a leg of the isp..  Where is the gateway for this /24 is it an interface on the router - or is it at the isp?
    yes, really just a modem. The gateway is xxx.xxx.xxx.1 is at the isp

    If we can't make the firewall transparent, my preference would be to leave server IPs alone, and only change their gateway IP setting on the servers- several of the servers will have routing information, whitelists, scripts, etc built in to them which reference the public IP and I wouldn't want to have to change all of these in addition to changing from public to private IP addresses.

    Sorry fo my bad english ;), Regards


  • Rebel Alliance Global Moderator

    You didn't answer the question, is this /24 routed to you or is it just a leg in the ISP network - there is a HUGE difference.  If it actually routed then you could replace that router with pfsense completely keeping everything the same.  This is a much better option then a bridge setup.

    Yes it is possible to setup pfsense in completely transparent mode..  IMHO it would be better to let it do the routing and just replace that old router if possible.

    So again - where is the gateway of the devices point to.. A IP that is on that router lan side, or some IP that is out on the internet your ISP..  What is the response time from a client if ping its gateway..  If its on your router it should be sub 2 ms for sure.. If out on the isp network then going to most likely be something a bit higher than that.

    If your going to go the bridge road. Your really going to want a 3rd nic in pfsense IMHO to manage pfsense with.  But yes you create a bridge between 2 interfaces connect one to your router, the other to your switch where the router connected..  Documentation of this sort of setup is dated and sparse.. You might want to buy the book (gold membership), pretty sure its covered in there.

    Use of pfsense as full transparent is a more complex setup as well.  I really would just replace that router if your /24 is routed to you.  That any company puts their network directly on the internet using only host based firewalls is also just beyond crazy if you ask me..



  • Sorry John..
    not clear but I think it is just a modem.

    I have this data:

    We are connected to the Internet by a fibre line. The traffic on this is currently limited to 10Mb/s. The router connects to a network switch which then connects to all the servers and PCs here.  All servers (and most PCs) have fixed IP addresses,  There is no NAT.

    the gateway is xxx.xxx.xxx.1/24

    *ping to gateway:
    PING X.X.X.1 (X.X.X.1): 56 data bytes
    64 bytes from X.X.X.1: icmp_seq=0 ttl=255 time=0.388 ms
    64 bytes from X.X.X.1: icmp_seq=1 ttl=255 time=0.351 ms
    64 bytes from X.X.X.1: icmp_seq=2 ttl=255 time=0.373 ms

    –- X.X.X.1 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.351/0.371/0.388/0.015 ms

    *trace to 8.8.8.8
    1  x.xi..x (X.X.X.1)  0.546 ms  0.358 ms  0.399 ms
    2  X.X.X.162 (X.X.X.162)  31.114 ms  10.138 ms  10.448 ms
    core1-te0-12-0-4.ilford.ukcore.bt.net (X)  19.586 ms  19.061 ms  20.275 ms
    peer5-te0-0-0-14.telehouse.ukcore.bt.net (109.159.254.50)  18.856 ms  17.505 ms  17.655 ms
    5  109.159.253.67 (109.159.253.67)  17.192 ms  19.288 ms  17.211 ms
    6  64.233.175.223 (64.233.175.223)  18.269 ms
        64.233.174.87 (64.233.174.87)  17.066 ms  17.019 ms
    7  209.85.247.13 (209.85.247.13)  20.193 ms
        209.85.142.177 (209.85.142.177)  22.557 ms
        216.239.58.85 (216.239.58.85)  19.469 ms
    google-public-dns-a.google.com (8.8.8.8)  18.232 ms  18.651 ms  18.229 ms

    @johnpoz:

    If your going to go the bridge road. Your really going to want a 3rd nic in pfsense IMHO to manage pfsense with.  But yes you create a bridge between 2 interfaces connect one to your router, the other to your switch where the router connected..  Documentation of this sort of setup is dated and sparse.. You might want to buy the book (gold membership), pretty sure its covered in there.

    i have 2 NIC but (WAN-LAN) but both should be assigned public IPs?
    If I set up a bridge between the two it would make me a loop


  • Rebel Alliance Global Moderator

    well that you ping the clients gateway and you get sub 1 ms pretty much tells me that is local and your /24 is routed to you.  Can you access that router??  What is its make and model?

    Once you can look at that setup of that router you will know for sure if routed network, because the wan of that router will have a different network on it (transit network).  If its routed to you then be very easy to just swap in pfsense with keeping their public /24 on pfsense lan.

    That second hop
    2  X.X.X.162 (X.X.X.162)
    Would be the transit network to the isp..  So I would assume that x.x.x.162/network is small..

    .162 falls in line with a /30 (typical transit network) so your wan IP on that router is more than likely .161

    If that is the case dude your golden and you can just swap in pfsense, or could even put pfsense behind it with a transit behind that router to pfsense..  If you have access to that router??  But would just replace that router with pfsense like attached.




  • This forum is amazing (you guys are!). You come up with a solution even without getting answers to your questions!
    And that's NOT meant ironically. (…recently someone was complaining cause I forgot the smileys or /sarcasm tags)

    May I vote for a "new notation":  pu.bl.ic.1 /24  ;D