On 16-9-2011 13:53, Jelmer Baas wrote:
Hello everyone,
We would like to use a pfSense firewall to protect our internet-accessible IP range, say 82.94.x.y. I want to be able to define rules about who can access what port and what server (i.e., most of our current machines should be reached only by a small number of our customers on port 80 and 3389, the rest of the Internet must be blocked).
That's normal, works fine.
Because of the number of incoming and outgoing connections I would prefer not to use NAT, so each machine has its own 82.94.x.y address, and pfSense would have to route the incoming packets to the proper machines.
Go to NAT, Outbound NAT, toggle advanced mode, remove mappings.
This implies my WAN interface would be, for example, 82.94.0.1, and my LAN side would have 82.94.0.2, my first server would have 82.94.0.3 and so on.
You can not use the same subnet on your WAN and LAN unless you bridge the LAN and WAN interface in pfSense, after which the firewall rules will apply normally.
However, when I set these values, I'm unable to ping the LAN interface, cannot access the config page, etc. All traffic is blocked, and PING and other requests to the LAN Side don't even show up in the filter log, but they do show up in the pftop option.
Because if you have no NAT mappings it becomes a router and you can not use the same subnet on 2 interfaces.
I just found out that when I plug both the LAN and WAN into the same switch, the LAN side *is* accessible!
Obviously.
Can anyone tell me if what I want is possible, and if so, how to configure it?
I think you want a filtering bridge, servers think they are talking directly to the internet, pfsense is in between filtering traffic.
Assign no address to the LAN interface. Let the WAN have it's public address and then bridge the LAN and WAN interfaces under assign interfaces, bridges.
Make sure to add firewall rules on the WAN to allow traffic in and firewall rules on the LAN to let the return traffic from the servers out.
Regards, Seth _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
