Hi,
I am trying to configure 2 pfSense firewalls with CARP (redundancy) this requires static WAN IP addresses on the same subnet.
I can do this by using a draytek modem, a switch and the 2 pfSense firewalls.
I am trying to remove the switch and use a router board for the PPPoe account (WAN) and make the WAN Subnet available to the LAN ports.
I have searched for a solution but have not been able to find any suitable information on how I can achieve this.
This is my current export - which works with a LAN subnet.
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=PASSWORD service-name=zen use-peer-dns=yes \
user=USERNAME
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.10.10.1/8 interface=ether2 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
Do you know how I can remove the nat and bridge the WAN & LAN?
Re: Bridge WAN to ALL etherports
I know how to do what you asked for but not sure if by doing so it will work as you wished. Anyway, system - reset configuration and tick No default configuration.
This clears all your config on the router including firewall and NAT, you can then access it by MAC address from Winbox. This is the easiest way of doing it.
then start create 1 bridge and add all Ethernet port to it.
I've been doing this when I need to use the router as a switch, not sure if you can then dial PPPoE from the bridge though.
what I would try first, however, is to remove the masquerade rule, doing source-nat using WAN IP available to you, in-interface would be one of the interface, this way trafficing from this interface will have this IP as source IP.
This clears all your config on the router including firewall and NAT, you can then access it by MAC address from Winbox. This is the easiest way of doing it.
then start create 1 bridge and add all Ethernet port to it.
I've been doing this when I need to use the router as a switch, not sure if you can then dial PPPoE from the bridge though.
what I would try first, however, is to remove the masquerade rule, doing source-nat using WAN IP available to you, in-interface would be one of the interface, this way trafficing from this interface will have this IP as source IP.
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
Hi Solar77,
Thanks for responding.
I have started with no configuration and bridged all ports when successfully configuring CapsMan WiFi networks with the hAP lite devices.
Any of the LAN ports will then act as a switch passing through DHCP requests to the network DHCP server when connected to the hAP lite router board.
I have done that with this device - you cannot use PPPoe on Ether1 as it is classed as a slave.
I have removed the NAT and IP address for the LAN side - but cannot pass any traffic with srcnat or dstnat rules.
I will not be able to respond to any posts for the next 10 days.
Thanks for responding.
I have started with no configuration and bridged all ports when successfully configuring CapsMan WiFi networks with the hAP lite devices.
Any of the LAN ports will then act as a switch passing through DHCP requests to the network DHCP server when connected to the hAP lite router board.
I have done that with this device - you cannot use PPPoe on Ether1 as it is classed as a slave.
I have removed the NAT and IP address for the LAN side - but cannot pass any traffic with srcnat or dstnat rules.
I will not be able to respond to any posts for the next 10 days.
Re: Bridge WAN to ALL etherports
PPPoE client has to be on the bridge, not interfaces if it is already part of the bridge.
this is the part I am not sure, if the bridge is the PPPoE client, how it would pass IP address to your devices, may be they just have to be on static IP?
my suggestion of source nat is before reset configuration, when you still have all your nat , WAN, LAN side. This way, your WAN bridge is the PPPoE client, then you have NAT between WAN and LAN, then src-nat applys .
this is the part I am not sure, if the bridge is the PPPoE client, how it would pass IP address to your devices, may be they just have to be on static IP?
my suggestion of source nat is before reset configuration, when you still have all your nat , WAN, LAN side. This way, your WAN bridge is the PPPoE client, then you have NAT between WAN and LAN, then src-nat applys .
Re: Bridge WAN to ALL etherports
PPPoE client uses whatever device (I've got mine running on VLAN device) and creates it's own interface. Then you can make that interface part of bridge (not clever) or roure between it and bridge. Bridge itself can have imternal address, DHCP server and whatnot.
The only reason I wouldn't make physical interface connecting towards WAN (modem, fibre converter, ...) member of internal LAN bridge is concern about that gadget being hacked opening way of hackjng my LAN.
The only reason I wouldn't make physical interface connecting towards WAN (modem, fibre converter, ...) member of internal LAN bridge is concern about that gadget being hacked opening way of hackjng my LAN.
Re: Bridge WAN to ALL etherports
Hi mkx, you are right. PPPoE client will create a dynamic interface. then bridge this with anything would not be stable, in the case of link goes down.
So do you think my original solution with src-nat will work? keep NAT, WAN interface dials PPPoE and add default route, then use src-nat to assign public IPs to internal IP / Interface as needed.
So do you think my original solution with src-nat will work? keep NAT, WAN interface dials PPPoE and add default route, then use src-nat to assign public IPs to internal IP / Interface as needed.
Re: Bridge WAN to ALL etherports
I don't have slightest idea about what OP is trying to do. I just know that mixing WAN and LAN addresses on same bridge doesn't sound right to me. At all.
Re: Bridge WAN to ALL etherports
The answer is one mikrotik router should replace the two PFSense firewalls, P is for Punt!!
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
I don't have slightest idea about what OP is trying to do. I just know that mixing WAN and LAN addresses on same bridge doesn't sound right to me. At all.
The LAN and WAN are ALL WAN addresses making xxx.xxx.xxx.xxx/28 available on all ports.
2 pfSense firewalls can then have their own IP address - xxx.xxx.xxx.225/28 and xxx.xxx.xxx.226/28 with a gateway of xxx.xxx.xxx.230/28 (PPPoe Connection)
This can be achived by using a VDSL modem - PPPoe Device (no NAT) and Switch
I am trying to use a VDSL modem and 5 port Mikrotik to make the PPPoe connection.
I have been able to use Billion ADSL/VDSL 4 port modems in the past (No NAT) but I thought I would try MikroTik before looking at Billion or other alternatives.
Re: Bridge WAN to ALL etherports
If I understand your situation right, you would like to use 3 ethernet ports of your RB for WAN (1 to connect to VDSL modem and 2 to connect to two PFsense hosts). In addition to that you would like to use 3 or more ethernet ports for LAN side (2 to connect LAN side of PFsense hosts and at least 1 ethernet port to connect other LAN devices). Due to lack of physical ports on RB you'd like to use single ethernet port for both WAN and LAN "side" of each PFsense host.
Well, this might work (as well as pigs might fly), but I still think this is bad.
You either need a (dumb) ethernet switch to connect LAN side (including PFsense) so that you actually only need 1 ethernet port on RB for LAN (but you indicated that you'd like to get rid of ethernet switch).
Or you can configure PFsense hosts to use two VLANs, one for their WAN and other for their LAN connections ... and configure VLANs on RB (two trunk ports, one per PFsense host, and 3 access ports, one for WAN to connect to VDSL modem and two for LAN to connect other LAN hosts). On RB create two VLAN interfaces, run PPPoE client on WAN VLAN interface and run whatever services RB needs to provide to LAN on LAN VLAN interface.
This way you can probably (depends on particular RB model) have all ethernet ports on single bridge and use VLAN tags to separate WAN and LAN traffic flows.
Well, this might work (as well as pigs might fly), but I still think this is bad.
You either need a (dumb) ethernet switch to connect LAN side (including PFsense) so that you actually only need 1 ethernet port on RB for LAN (but you indicated that you'd like to get rid of ethernet switch).
Or you can configure PFsense hosts to use two VLANs, one for their WAN and other for their LAN connections ... and configure VLANs on RB (two trunk ports, one per PFsense host, and 3 access ports, one for WAN to connect to VDSL modem and two for LAN to connect other LAN hosts). On RB create two VLAN interfaces, run PPPoE client on WAN VLAN interface and run whatever services RB needs to provide to LAN on LAN VLAN interface.
This way you can probably (depends on particular RB model) have all ethernet ports on single bridge and use VLAN tags to separate WAN and LAN traffic flows.
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
Hi,If I understand your situation right, you would like to use 3 ethernet ports of your RB for WAN (1 to connect to VDSL modem and 2 to connect to two PFsense hosts). In addition to that you would like to use 3 or more ethernet ports for LAN side (2 to connect LAN side of PFsense hosts and at least 1 ethernet port to connect other LAN devices). Due to lack of physical ports on RB you'd like to use single ethernet port for both WAN and LAN "side" of each PFsense host.
Well, this might work (as well as pigs might fly), but I still think this is bad.
You either need a (dumb) ethernet switch to connect LAN side (including PFsense) so that you actually only need 1 ethernet port on RB for LAN (but you indicated that you'd like to get rid of ethernet switch).
Or you can configure PFsense hosts to use two VLANs, one for their WAN and other for their LAN connections ... and configure VLANs on RB (two trunk ports, one per PFsense host, and 3 access ports, one for WAN to connect to VDSL modem and two for LAN to connect other LAN hosts). On RB create two VLAN interfaces, run PPPoE client on WAN VLAN interface and run whatever services RB needs to provide to LAN on LAN VLAN interface.
This way you can probably (depends on particular RB model) have all ethernet ports on single bridge and use VLAN tags to separate WAN and LAN traffic flows.
It is bad if you do not use the correct device between the WAN and the LAN the pfSense firewall performs that function.
Port 1 is PPPoe to ISP VDSL modem.
Port 2-5 is WAN IP with only 2 pfSense devices connected.
I have made a pre sales enqiury with Billion regarding a VDSL modem which will enable me to turn off the firewall and NAT - this will enable the WAN IP to be presented at the 4 off 10/100 LAN ports. They did sell them in the past.
Re: Bridge WAN to ALL etherports
I continue to not have slightest idea about what you're trying to do and where RB fits. I don't know about others, but for me it would help if you could post a diagram of network set-up you're trying to create.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Bridge WAN to ALL etherports
I continue to not have slightest idea about what you're trying to do and where RB fits. I don't know about others, but for me it would help if you could post a diagram of network set-up you're trying to create.
Ditto
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
Where on the picture is Mikrotik? If there are two (boxes just south of VDSL modems), what are their intended functionality? Bridge between PPPoE and pfSense WAN interfaces?
If that's indeed so ... are those two addresses xxx.xxx.xxx.126/28 routable addresses and your ISP is sending you traffic with destination set to those addresses? If yes, add pppoe interface to same bridge with ether2 to ether5 while keeping ether1 (the interface used to connect VDSL modem) separated.
If you need management connection, you need to assign address to the bridge (not to individual ether interface) if you'll connect through pfSense. If you want to manage MT directly from your LAN, then you'll need to dedicate one ether interface for LAN connection (e.g. ether5), but you need to remove it from bridge first. Then configure LAN IP address directly on ether5.
[edit] Damn, it seems like you can't add pppoe interface to a bridge.You'll need to assign one xxx.xxx.xxx.112/28 address to bridge and configure pfSense hosts to use that address as their default route gateway. MT will do the routing for you.
If that's indeed so ... are those two addresses xxx.xxx.xxx.126/28 routable addresses and your ISP is sending you traffic with destination set to those addresses? If yes, add pppoe interface to same bridge with ether2 to ether5 while keeping ether1 (the interface used to connect VDSL modem) separated.
If you need management connection, you need to assign address to the bridge (not to individual ether interface) if you'll connect through pfSense. If you want to manage MT directly from your LAN, then you'll need to dedicate one ether interface for LAN connection (e.g. ether5), but you need to remove it from bridge first. Then configure LAN IP address directly on ether5.
[edit] Damn, it seems like you can't add pppoe interface to a bridge.You'll need to assign one xxx.xxx.xxx.112/28 address to bridge and configure pfSense hosts to use that address as their default route gateway. MT will do the routing for you.
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
Where on the picture is Mikrotik? If there are two (boxes just south of VDSL modems), what are their intended functionality? Bridge between PPPoE and pfSense WAN interfaces?
If that's indeed so ... are those two addresses xxx.xxx.xxx.126/28 routable addresses and your ISP is sending you traffic with destination set to those addresses? If yes, add pppoe interface to same bridge with ether2 to ether5 while keeping ether1 (the interface used to connect VDSL modem) separated.
Sorry missed the text box on my final edit - Yes the 2 boxes south of the ISP VDSL Modem are MikroTiks.
The PPPoe interface is assigned xxx.xxx.xxx.230/28 (ISP 1) and xxx.xxx.xxx.130/28 (ISP 2) and there are 5 routable address - 225 - 229 and 125 - 129.
I know I cannot add the PPPoe interface to the bridge - I am trying to use the PPPoe Interface address as the gateway with no specific IP addresses assigned to the bridge ports.
Do you know how I can route all xxx.xxx.xxx.225/28 traffic to the PPPoe Interface xxx.xxx.xxx.230/28 and vici versa?
Re: Bridge WAN to ALL etherports
Ok, 5 routable addresses means you're getting subnet xxx.xxx.xxx.224/29 from ISP1 and .... ugh, no subnet matches the addresses you mentioned by routable addresses from ISP2.
Since bridging between PPPoE and ether ports is not possible, you'll have to configure RB for routing. For that you'll need to configure one IP address to bridge (spanning ether ports towards pfSense).
Example for RB hooked to ISP1:
You don't have to add anything to routing table: pppoe will add default route to internet and pfSense hosts will be accessible directly through bridge1-attached ethernet.
You will have to configure pfSense machines to use xxx.yyy.zzz.229 as default gateway (the network connection towards ISP1).
Since pfSense is doing FW, you don't need to filter anything in forward chain. You do have to establish filters on input chain as RB will be fully exposed to internet.
Then you do similar for MT en route to ISP2. It will be more complicated if routable addresses really don't belong to single /29 subnet.
[edit] In this case you can dedicate ethernet ports one per pfSense host without creating bridge on top of them. Then use /32 addresses for point-to-point connectivity as discussed in this topic.
Since bridging between PPPoE and ether ports is not possible, you'll have to configure RB for routing. For that you'll need to configure one IP address to bridge (spanning ether ports towards pfSense).
Example for RB hooked to ISP1:
Code: Select all
/ip address xxx.yyy.zzz.229/29 interface=bridge1 network=xxx.yyy.zzz.224
You will have to configure pfSense machines to use xxx.yyy.zzz.229 as default gateway (the network connection towards ISP1).
Since pfSense is doing FW, you don't need to filter anything in forward chain. You do have to establish filters on input chain as RB will be fully exposed to internet.
Then you do similar for MT en route to ISP2. It will be more complicated if routable addresses really don't belong to single /29 subnet.
[edit] In this case you can dedicate ethernet ports one per pfSense host without creating bridge on top of them. Then use /32 addresses for point-to-point connectivity as discussed in this topic.
-
-
uplandsystems
just joined
- Posts: 12
- Joined:
Re: Bridge WAN to ALL etherports
Cheers - I will have a go later today.Ok, 5 routable addresses means you're getting subnet xxx.xxx.xxx.224/29 from ISP1 and .... ugh, no subnet matches the addresses you mentioned by routable addresses from ISP2.
ISP2 subnet is on another MikroTik - 1 per ISP.