dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12227
share rss forum feed


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12

pfSense in Bridged Mode?

Hello all,

I've got a few questions about pfSense. Hopefully someone here can answer them for me.

1) I'm configuring my pfSense FW in bridge mode. As long as I assign a public IP to the WAN port, I can assign public IPs to the clients behind the pfSense box and it will pass through transparently correct? This is how my current firewall works and I'd like to keep this behavior. Does Snort still work in this mode?

2) I have a Microsoft PPTP VPN server that will be behind the pfSense box. I went to the VPN -> PPTP section, and told it to redirect incoming traffic to my VPN server. Do I need to create a firewall rule? The instructions I read said a rule is autocreated (I don't see one), but the image links in the doc were broken.

3) I am running this on an IBM xSeries 306m with SATA drives. BSD bypasses the Adaptec HostRAID, so I didn't bother configuring fake-raid via the controller; I just installed to normal-mode SATA drives. Is there a way I can (either manually or automatically) image the entire drive over to the 2nd, identical drive, for failover in the event that my primary drive dies?

Thanks folks!


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
If you haven't yet looked at the pfsense mail lists and forums, that would be a good source.

Are you really, really sure you want to bridge? Disabling NAT it probably what you want instead.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by graysonf:

If you haven't yet looked at the pfsense mail lists and forums, that would be a good source.

Are you really, really sure you want to bridge? Disabling NAT it probably what you want instead.
I currently have a Zywall Z5 in bridged mode so I'm trying to stay as close to that as possible. The pfSense box is replacing it.

I essentially want the pfSense box to just act as a firewall/IDS, but still allow public IP addresses behind it. I definitely don't want NAT. If I just disable NAT, will that allow for public IP addresses to be assigned to the servers behind the pfSense box, and then I'd just use the pfSense box as my gateway?

I've posted the same message in the pfSense forums, but no response yet. I'm on a bit of a deadline (not my fault) to get these answered before I install the pfSense box tomorrow.

I can figure it out, I'd just rather have any possible issues answered before I actually get on site.


PToN
Premium
join:2001-10-04
Houston, TX
Doing that means that you would have to also install and enforce firewall rules in the other server...

It is better to forward the services that you need from the main router/firewall to the local private IP.

You should be able to add multiple public IPs to the WAN interface..

Then just masquerade the outbound traffic to the respective public IPs..

I think you are looking for trouble by doing it the way you have it right now.. UNLESS you have a very good reason to have it set up that way...


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by PToN:

Doing that means that you would have to also install and enforce firewall rules in the other server...

It is better to forward the services that you need from the main router/firewall to the local private IP.

You should be able to add multiple public IPs to the WAN interface..

Then just masquerade the outbound traffic to the respective public IPs..

I think you are looking for trouble by doing it the way you have it right now.. UNLESS you have a very good reason to have it set up that way...
Even in transparent bridge mode, I still have to create firewall rules to allow inbound traffic. By default the firewall blocks all traffic according to the pfSense transparent bridge HOWTO.

If I go with just disabling NAT, the firewall still block all unsolicited inbound traffic correct?

I do have a good reason to not use NAT, it break our application and wreaks havoc with our PPTP server, among other things. I have a /26 so I am not worried about not having enough IP addresses.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to Matt3
said by Matt3:

I currently have a Zywall Z5 in bridged mode so I'm trying to stay as close to that as possible. The pfSense box is replacing it.
Exactly what do you mean by "in bridged mode" ?


PToN
Premium
join:2001-10-04
Houston, TX
reply to Matt3
You can see that by yourself by using nmap on the target IP to see if the rules are being applied... (open, filtered) you are looking for filtered ports.

quote:
If I go with just disabling NAT, the firewall still block all unsolicited inbound traffic correct?

The inbound traffic you tell it to block. Unless pfSense has some default value if none is specified.

Perhaps, NAT "breaks" it becuase not all the requiered ports are being forwarded. ..?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
said by PToN:

Perhaps, NAT "breaks" it becuase not all the requiered ports are being forwarded. ..?
NAT alone doesn't break things. The lack of PAT is what makes things appear to be broken.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
reply to graysonf
said by graysonf:

said by Matt3:

I currently have a Zywall Z5 in bridged mode so I'm trying to stay as close to that as possible. The pfSense box is replacing it.
Exactly what do you mean by "in bridged mode" ?
It has a single IP address (public) and passes the traffic at Layer 2, but inspects it at layer 3 and 4 to verify it meets a pass or reject rule.

It is a transparent firewall. It doesn't even show in an inbound or outbound traceroute to/from a server. Much harder to hack.


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
reply to graysonf
said by graysonf:

said by PToN:

Perhaps, NAT "breaks" it becuase not all the requiered ports are being forwarded. ..?
NAT alone doesn't break things. The lack of PAT is what makes things appear to be broken.
Or poorly coded NAT/PAT applications ... like the pfSense PPTP NAT issue which completely rules out pfSense in NAT mode. To be fair, most NAT devices don't allow more than one PPTP VPN session (inbound to a server behind the device) if they work with it at all in NAT mode.

Without getting persnickety or seeming ungrateful, I'm not looking for how to configure my network. I am very comfortable with that, I'm just looking for the answers to the questions I asked.

As an aside, I figured out how to completely bork pfSense today. Simply restore a backed up firewall ruleset or package backup to "all" renders the box completely unusable. Nice. Even the console menu just show XML: object not found or some such nonsense when you make a selection.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
The lack of advanced capability such as NAT-T doesn't make a product poorly coded.

Rather than getting persniketty, my suggestion to you would be to research the products you are considering well in advance of your need date.

I am sure that the folks who have years invested in things like pfsense, would be highly interested in how you managed to bork it - as if that's never happened before.

And as an aside, sorry, instantaneous replies to forum and mail list posts don't happen over there or anywhere else in the open source world.

Perhaps on your Zywall Z5 is where you need to stay for a while until you can thoroughly evaluate others without regard to schedule pressure.

And yes, I did think about not replying, but decided to do so anyway. We have moderators here if they think I am being out of line.


PToN
Premium
join:2001-10-04
Houston, TX
reply to graysonf
said by graysonf:

said by PToN:

Perhaps, NAT "breaks" it becuase not all the requiered ports are being forwarded. ..?
NAT alone doesn't break things. The lack of PAT is what makes things appear to be broken.
My statement was misunderstood...


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
reply to graysonf
said by graysonf:

The lack of advanced capability such as NAT-T doesn't make a product poorly coded.

Rather than getting persniketty, my suggestion to you would be to research the products you are considering well in advance of your need date.

I am sure that the folks who have years invested in things like pfsense, would be highly interested in how you managed to bork it - as if that's never happened before.

And as an aside, sorry, instantaneous replies to forum and mail list posts don't happen over there or anywhere else in the open source world.

Perhaps on your Zywall Z5 is where you need to stay for a while until you can thoroughly evaluate others without regard to schedule pressure.

And yes, I did think about not replying, but decided to do so anyway. We have moderators here if they think I am being out of line.
You are most certaintly entitled to your opinion, however much you formed it without knowing the situation.

I did research pfSense well in advance. However, nothing works as it should according to the documentation. I don't know if 1.2 has bugs, or if the product really doesn't do the advanced things I need it to do. The server was released to me two days ago with a set schedule for migration, so I can't help that.

I came here looking for answers to specific questions, but as is typical in most open source communities, instead of just answering the questions that are asked, everyone starts to throw their two cents in about the how they think it should be configured without knowing anything about WHY I need a specific configuration.

Anyway, I appreciate the attempt to assist and apologize for you taking my previous post the wrong way.