|
Howdee, I now have (thanks to the list) a working 4
nic firewall supporting dual WAN, LAN & DMZ interfaces. All is well with the
firewall and it has been running flawless now the last couple of days. Until
now, all of my LAN clients as well as our servers have been on a big fat
172.16.0.0/12 network on the LAN even though the clients and servers exit
our network through different gateways. I was planning on switching our servers
over to like a 192.168 space and set the firewalls DMZ nic to 192.168.x.x to
allow the servers out and finally isolate my servers from my clients. I have
tested it and it works, problem is, switching our servers is a nightmare (as I
have just found out), becuase we have tons of billing scripts and automatted ssh
scripts that depend on ip not hostname (once again our dumb ass fault). So
instead I would like to bridge the LAN & the DMZ (OPT1) interface together
and keep the IP's the same but just filter between the LAN & DMZ via the
bridge.
I was able to bridge these interfaces and a server
sitting on the DMZ could talk just fine to both the LAN clients as well as the
WAN stuff but I could not get any filtering to work.
I tried a suggestion someone had from the past list
on how to make LAN and DMZ not talk by default unless permit rules were stated.
That sugesstion was to modify the default LAN rule of any / any and make it so
LAN can go out if NOT DMZ subnet destination and the same for DMZ but NOT
if its the LAN subnet. This feature works in monowall, but when I do the
identical statement in PFSense (either while its bridged or not) using and
Optional interface and the LAN- I get scrolling errors at the top and it locks
up the box much like the issue I had with previous versions entering other
rules.
Im using 0.79.2 live cd.
The actual question:
Should fitering work with the bridge if im bridging
LAN & OPT AND using multi-WAN's?
If so, what default rule and on what interface do I
enter to block LAN clients from DMZ but not DMZ to LAN? Then I suppose I could
figure out how to allow only the services the LAN clients need on the DMZ one at
a time.
Is there some kind of bug out there using the "NOT
- Use this option to invert the sense of the
match" option?
Thanks!
Tim
|
