Seth, Thank you for your quick response. What you describe looks exactly like what I would like to implement!
I'll give a shot asap. Thanks, Jelmer > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Seth Mos > Sent: vrijdag 16 september 2011 14:14 > To: pfSense support and discussion > Subject: Re: [pfSense] Help with configuration of pfSense > > On 16-9-2011 13:53, Jelmer Baas wrote: > > Hello everyone, > > > We would like to use a pfSense firewall to protect our internet-accessible > IP range, say 82.94.x.y. I want to be able to define rules about who can > access > what port and what server (i.e., most of our current machines should be > reached only by a small number of our customers on port 80 and 3389, the > rest of the Internet must be blocked). > > That's normal, works fine. > > > Because of the number of incoming and outgoing connections I would > prefer not to use NAT, so each machine has its own 82.94.x.y address, and > pfSense would have to route the incoming packets to the proper machines. > > Go to NAT, Outbound NAT, toggle advanced mode, remove mappings. > > > This implies my WAN interface would be, for example, 82.94.0.1, and my > LAN side would have 82.94.0.2, my first server would have 82.94.0.3 and so > on. > > You can not use the same subnet on your WAN and LAN unless you bridge > the LAN and WAN interface in pfSense, after which the firewall rules > will apply normally. > > > However, when I set these values, I'm unable to ping the LAN interface, > cannot access the config page, etc. All traffic is blocked, and PING and other > requests to the LAN Side don't even show up in the filter log, but they do > show up in the pftop option. > > Because if you have no NAT mappings it becomes a router and you can not > use the same subnet on 2 interfaces. > > > I just found out that when I plug both the LAN and WAN into the same > switch, the LAN side *is* accessible! > > Obviously. > > > Can anyone tell me if what I want is possible, and if so, how to configure > > it? > > I think you want a filtering bridge, servers think they are talking > directly to the internet, pfsense is in between filtering traffic. > > Assign no address to the LAN interface. Let the WAN have it's public > address and then bridge the LAN and WAN interfaces under assign > interfaces, bridges. > > Make sure to add firewall rules on the WAN to allow traffic in and > firewall rules on the LAN to let the return traffic from the servers out. > > Regards, > > Seth > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
