RE: [pfSense-discussion] IPsec tunnel to a transparent bridge
Just as an FYI and to give the creative juices something to consider :-). Other firewall solutions terminate IPSEC on a Layer two firewall, by configuring the tunnel endpoint address on the device as a Cisco style 'loopback' interface. As you can imagine, this has a lot of advantages. -Original Message- From: Eugen Leitl [mailto:[EMAIL PROTECTED] Sent: 05 October 2008 10:32 To: discussion@pfsense.com Subject: [pfSense-discussion] IPsec tunnel to a transparent bridge Almost a year ago, Chris Buechler told me http://www.mail-archive.com/discussion@pfsense.com/msg02426.html In a transparent bridge setup, the gateway of the hosts on the bridge isn't going to be pfsense, it'll be something on the outside interface. If you have a routed subnet setup on an OPT interface this will work fine. Unfortunately, I have only WAN and LAN. a) Is there a way to set up a routed subnet via Virtual IPs? b) assuming yes, how I do that? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[pfSense-discussion] IPsec tunnel to a transparent bridge
Almost a year ago, Chris Buechler told me http://www.mail-archive.com/discussion@pfsense.com/msg02426.html In a transparent bridge setup, the gateway of the hosts on the bridge isn't going to be pfsense, it'll be something on the outside interface. If you have a routed subnet setup on an OPT interface this will work fine. Unfortunately, I have only WAN and LAN. a) Is there a way to set up a routed subnet via Virtual IPs? b) assuming yes, how I do that? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sat, Oct 04, 2008 at 05:26:58PM -0400, Chris Buechler wrote: Now I'm just as confused. :) You mentioned the problem is that LAN was on a different subnet. Put them on the same network (different from WAN) - what does them refer to then? I presume this is the same problem as http://forum.pfsense.org/index.php?topic=11531.msg63655 My WAN IPs were from a public /24, my LAN IPs 10.0.0.0/24. With that setup all DNS requests from behind the transparent bridge would time out. I put some random IPs from the public /24 on LAN (different from WAN ones, since that is something FreeBSD doesn't like). The setup is like this: gateway--| |WAN(FWall1)LAN ---| |---host1---| | | |WAN(FWall2)LAN ---| |---host2---| | | | | |---etc.| | |switch1 |switch2 |switch3 (I know that switch1 is superfluous, since emulatable with VLAN). When bridging, the subnet in use on the member interfaces is irrelevant. It won't affect behavior of filtering. There are some So I thought, too. Apparently, the subnet on LAN is important. caveats when bridging LAN, like I would recommend disabling the webGUI antilockout rule. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sun, Oct 5, 2008 at 5:17 AM, Eugen Leitl [EMAIL PROTECTED] wrote: I presume this is the same problem as http://forum.pfsense.org/index.php?topic=11531.msg63655 That person bought a support contract and we helped him resolve that, his firewall rules weren't setup properly to allow the DNS traffic. My WAN IPs were from a public /24, my LAN IPs 10.0.0.0/24. With that setup all DNS requests from behind the transparent bridge would time out. I put some random IPs from the public /24 on LAN (different from WAN ones, since that is something FreeBSD doesn't like). This sounds like your LAN rule was still set to allow source of the LAN subnet.