Transparent and public IP

  • I have given it a shot on setting up transparent mode with public static-ip on the FW/network.

    I have a WAN-side with a public IP. Lan side does not have a IP. And that seems correct.

    However, I suspect that something is wrong with the bridge. I have created a bridge (in order to make it work transparent-mode, as far as I have read here) with WAN and LAN inside the bridge. But shouldn't I somehow have the IP address on the bridge interface and not the WAN? Or is there some magic going on that makes the WAN interface correct just by having created a bridge.

    If the bridged interface should have the IP and not the WAN, my follow-up question is how the fw rules would look like (in order to have rules both for incoming and outgoing traffic).

    Attached two screenshots of interfaces and bridge-page.

  • LAYER 8 Global Moderator

    So how many public IPs do you have?  Is this IP space not routed to you and that is why you want to bridge it?

    Yes normally pfsense IP would be on the bridge itself.  But if what your wanting is a transparent to a public range with stuff behind pfsense on that public range, pfsense could be managed via another interface there wouldn't really even be a need for an IP on the interfaces in or on the bridge, etc..

  • 256 (all on same subnet).

    " Is this IP space not routed to you and that is why you want to bridge it?"

    If I understand what you are getting at now, a bridge is not needed for transparent mode? I can just leave the IP not defined on the LAN-side and the fw operates in gw mode. So I can just go on to define rules to filter wan-lan and lan-wan? That would be the best of course :) I followed this thread and the manual linked there, but perhaps they had different needs: and it is a older version.

    The IP-range is assigned to me. The ISP has their own switch/router in my data center. If I just put the ISP-cable directly into a computer and change ipv4 to use one of the static IPs in the range I'm assigned, it works. So I guess you are indicating that a bridge isn't needed?

    I just have webservers and no private IP. All servers have one dedicated public IP.

  • Since the subnet is brought to you by the ISP router and you can't control the ISP router (?) your options are limited to setting up a bridge just like you have already done. You want to have a public IP on the WAN side of the pfSense but the interface that is bridged to WAN does not need an IP address. Make sure any hosts that are behind the pfSense system in the bridged network use the ISP router as their default gateway or they won't have any connectivity. I would recommend using three interfaces instead of two and bridge WAN<->OPT1 and leave LAN for doing maintenance on the firewall.

  • LAYER 8 Global Moderator

    Not sure why you need an IP in the bridge in such a setup, as long as you can manage pfsense from another interface.  if you want to manage pfsense by some device in the bridged network then yeah you would want want of these /24 IPs on the bridge.

    But as kpa mentions I would just manage pfsense from another interface.

  • It is usefull to be able to manage pfsense from a server on the inside of the network. But that I see that I can rigth now with the setup I have?

    I'm a little confused because OPT1=bridge of WAN+LAN. So how do I "leave" LAN to maintaince, it is already used that way.

    All servers have the ISPs router as their gw. So trying to keep it just like that.

    This is the setup I want to accomplish (each STP-switch 1 and 2 connected to their own LAN-port on the fw and the final server has bounded interface for redundancy). Perhaps this controls what is best practice for the briding? I only have one physical output from ISPs gateway:

    ISP (gateway/WAN) -> firewall LAN eth1 -> switch 1 -> server 1 (software bounded, with ISP gw setting and public ip same as on WAN)
    ISP (gateway/WAN) -> firewall LAN eth2 -> switch 2 -> server 1 (software bounded, with ISP gw setting and public ip same as on WAN)

    Of course, there are a lot more of the servers, just showing how each will be connected :) I want to secure myself from either switch going down, broken cable and network-card going down.
    I plan to use a box with 4 network ports (same model as pfsense sells in rack-edt).

  • I didn't spot that you have assigned the bridge0 as OPT1. That is not necessary because you can filter on the bridge member interfaces just fine. I meant three separate interfaces, WAN, LAN and OPT1. WAN bridged with OPT1 and LAN as the management interface with private RFC1918 addresses. That's how I would do it.

  • LAYER 8 Global Moderator

    ^ yeah that is how I would do it too.. If had to use that method, personally would much rather just have the isp route the /24 to me and let me do whatever I want with it.  Use it as is, break it down into multiple networks, etc. etc..

  • Thank you :)

    If you look at my setup above, I want to supply two switches from two outputs on the fw (lets say opt1=sw1 and opt2=sw2). Would Interface-group be the fastest option or is there something that will give better speed or be more logical? On a FortiGate box I have today, this is called Zone and I assume this is similar. This lets me have only one fw-rule that is valid for letting the same traffic flow on both opt1 and opt2.

    From what I can understand when reading the docs: bridge may be more complex than I need for this and LAGG-interface is only when you have multiple links to same switch (not like here when I have two seperate switches). So Interface-group is the best/only option?

Log in to reply