Community discussions

MikroTik App
 
avihu
just joined
Topic Author
Posts: 15
Joined: Thu Dec 01, 2016 11:13 pm

Forwarding to pfSense

Mon Jan 11, 2021 3:22 pm

Hello everyone,
I'm trying to add an external firewall to my system (pfSense with snort IPS)
Right now when I define the firewall as a bridge ,I connected the modem to the pfsense INPUT port and the OUTPUT port to the Mikrotik Router.
The Mikrotik Router is responsible for dialing through eth13 and PPPoE Client.
The Trafic come from the modem to the pfsense and then come to the mikrotik, but pfsense failed to block.

I try to connect the same pfsense bridge to an internal network it works fine, my guess is because it's connected directly to the modem.
Is there a way to fix the situation?

I thought maybe using eth11 and eth13 to move all the traffic come and back to the pfsense.

modem (PPPoE) ------> Mikrotik (eth13)
Mikrotik (eth12) --------> pfsense (in)
pfsense (out) -----------> Mikrotik (eth11)

and change the nat roll the eth11
I do not know if it is possible without assigning more addresses, just now I have 3 address spaces I want to keep it


Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 6935
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forwarding to pfSense

Mon Jan 11, 2021 4:07 pm

I would first check whether pfSense is able to extract the IP payload from the PPPoE encapsulation. IP over Ethernet (which the firewall can handle in bridge mode) is not the same as IP over PPP over Ethernet. It might be complicated to block some IP payload without breaking the PPP(oE) functionality.

And the solution with inserting pfSense into the packet path through Mikrotik will work if you attach the LAN IP of the Mikrotik to ether12 and bridge ether11 with the ports to which LAN hosts are connected if the firewall can handle the fact that NAT will be done between its WAN port and the internet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
avihu
just joined
Topic Author
Posts: 15
Joined: Thu Dec 01, 2016 11:13 pm

Re: Forwarding to pfSense

Mon Jan 11, 2021 4:21 pm

Thanks for the reply
The Pfsense get connect and see the connections between the modem and the mikrotik, but fails to block for some reason, neither through the snort or the rules in the firewall.
I thought about the solution you offer, but the problem that I could not make it because I have 3 more network in the router
eth1 192.168.1.0/24
eth2 192.168.2.0/24
eth3 10.0.0.0/24
I want all the traffic for everyone to go through the firewall
 
sindy
Forum Guru
Forum Guru
Posts: 6935
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forwarding to pfSense

Mon Jan 11, 2021 4:35 pm

If you can see multiple individual connections when the PPPoE session passes through the firewall, I'd suppose that it can parse the PPPoE encapsulated IP packets but cannot drop them for the reason I wrote above.

If pfSense doesn't support VLANs or at least mutiple subnets at the LAN port, then yes, your only remaining option is one layer of NAT between those three networks and ether11, and another layer of NAT between ether12 and the PPPoE client.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
avihu
just joined
Topic Author
Posts: 15
Joined: Thu Dec 01, 2016 11:13 pm

Re: Forwarding to pfSense

Mon Jan 11, 2021 5:17 pm

OK
last question :)
How can I setup layer of NAT between ether12 and the PPPoE client.
Without giving adress to ether12
 
sindy
Forum Guru
Forum Guru
Posts: 6935
Joined: Mon Dec 04, 2017 9:19 pm

Re: Forwarding to pfSense

Mon Jan 11, 2021 6:22 pm

You cannot avoid assigning an address to ether12.

First, you'll need VRF (simpler to configure) or policy routing to make sure that traffic coming in via LAN ports will be routed out via ether11 and traffic coming in via ether12 will be routed out via PPPoE, and vice versa. So the PPPoE and the ether12 have to be in their own VRF group; the router itself must stay in the basic group so that its own traffic passed through the firewall.

I have no idea what happens if you create a route whose gateway is an IP address which is up on the same machine (albeit in a different VRF). If that works, you can use the same subnet for ether11 and ether12 and let the firewall bridge between ether11 and ether12.

If it doesn't work, you must assign addresses from different subnets to ether11 and ether12, and the firewall must route (rather than bridge) between them. So there will be one subnet for ether12 and firewall's WAN, and another subnet for ether11 and firewall's LAN.

In either case, all the traffic from the three LAN subnets to the internet will be src-nated to ether11's address.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 192 guests