Transparent Firewall Assistance - pfSense accessing internet for updates
silverlight99 last edited by
I have a pfsense setup as a transparent firewall as added security on one of my internal networks with the goal of leveraging primarily pfBlocker and Snort as well as more constrained firewall rules (that last point which arguably could be done on this unit or on the main NAT firewall, which is a Barracuda Networks unit that I use as firewall/IPS/WebFilter/AntiVirus for our various internal networks). I have a very consistent config as found on other posts I researched on the forum (i.e., summarized here – https://forum.pfsense.org/index.php?topic=68924.msg378425#msg378425).
The challenge I have is that the pfsense unit itself is not able to access the WAN / internet for updating databases and blocklists or updating the firmware (or packages).
The unit is operating transparently on 192.168.1.0/24 and the mgt IP is setup on 192.168.2.1, and I have another vm guest window open that I use to regularly access the the pfsense box while I adjust the exceptions list / whitelists over time for this network to run what's needed.
Any thoughts on how to do this? One of the older guides I read also indicated this as an issue, but I assume in the time since others have solved it who are far more capable that I...
To add a little more detail, the rule set I use may be an area to focus on. WAN has the no bogon/private network default rules and a block all rule (does not affect traffic on this network), the LAN rule set is largely a carry over from when I was using it in double NAT mode (pfBlocker rules followed by specific hosts for email and various services, general open for 80/443/NTP, followed by a Block All). I've had to change the "source" in the LAN for LAN traffic to "any" in order for this traffic to pass (perhaps this is the Bridge interface as the source?). The Bridge interface is running with pfBlocker rules followed by a couple specific rules for the VM that runs on the bridge interface, followed by a block all. As you can see, working my way through this through a little trial and error...