Hi, I've recently tried number of variants of setting pfsense in Bridging mode of my small subnet and I guess here is the state of things as it is now.
Scott was going to fix some of these issues but I guess it is good to summarize them anyway. So running in bridging mode you set 111.111.111.154/29 as IP on your WAN interface. Your options for LAN are 1) Set LAN ip empty. You're allowed to set IP empty but this breaks a lot of rules in pf tables, as lan IP does not exist any more. And check does not seems to present. 2) Set lan IP address to be the same as WAN IP. This is also allowed, but It breaks "wan spoof protection" rule which does not seems like can be disabled. I was told "Block traffic from private networks does it" but by my tests it does not. 3) Set lan IP address to be some fake one, I used 10.25.15.1. In this case it is the closet to be functional. It however does not identify LAN subnet right so firewall rules which include lan subnet do not work. There are some lesser items such as lockout protection does not work and this kind of stuff: (All these rules have LAN wrong) nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 nat on em0 from 10.25.15.0/29 to any -> (em0) pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = 67 label "allow access to DHCP server on LAN" pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN" block in log quick on em0 from 10.25.15.0/29 to any label "WAN spoof check" block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 port = 68 label "allow dhcp client out wan" pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label "anti-lockout web rule" How I would expect it to work ? Leave it empty or set it same as WAN I think one or another should be made to work. Wan spoofing should not be enabled in such case and LAN network should be made identified correctly for setting firewall rules. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
