On 14-08-16 01:13 PM, Espen Johansen wrote:
You would have to do a major code rewrite to get this done. And it
would be insecure and it would make no pf sense :-) this is network
basics. You dont seem to understand some network fundamentals. Sorry
but this is not doable without using vlans or 2 physical interfaces.
16. aug. 2014 20:06 skrev "Bob Gustafson" <[email protected]
<mailto:[email protected]>> følgende:
I'm interested in doing it all within the Alix using pfsense. A
minimum hardware approach.
Think of my WAN mentioned below as the LAN network created by the
modem/router furnished by the ISP and the LAN mentioned below as
devices also connected to the back end of the modem/router, but
not accessible by the modem/router. Only by LAN/pfsense.
Bob G
I would like to pass WAN packets (192.168.1.0/24
<http://192.168.1.0/24>) and LAN packets (192.168.2.0/24
<http://192.168.2.0/24>) through the same connector.
pfsense would provide the NAT and firewalling within the box.
To clarify Espen's comments : yes, it is possible to run two subnets on
the same wire.
Any _router_ can route between two subnets on the same wire (or the same
VLAN, same thing - technically the same "broadcast domain").
A _firewall_, however, will refuse to do so because it's nonsensical
from a security perspective.
So pfSense is a router, yes, but it is also a firewall, and in areas
where those two roles conflict, the firewall role wins.
As previously pointed out, you can't usefully use pf(4) in the
circumstance you describe.
It is technically possible, on some platforms, to perform NAT between
the two subnets. It would be possible, AFAIK, to manually craft a pf
rule that does this; it is not possible to get the pfSense GUI to
generate that rule. That's where the "major code rewrite" comes into play.
I'm not aware of any firewall GUI that will let you do this - and for a
good reason! By hooking your LAN up directly to the WAN, you're
effectively eliminating 99% of the security a firewall gives you. (And,
yes, it is possible to directly attack private IP addresses on most ISPs.)
If you're determined to deploy this model, you'll have to run a bare OS
that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the
networking stack and NAT rules by hand.
--
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
