Nat traversal is trivial. Firewalling needs physical interfaces. Vlans are possible but vlan jumping is also possible. Vlans to do different zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan jumping can be done in most environments. In short. Forget an idea where you firewall with a single interface. Even if this is only to play with at home. Just dont. A vanilla linux/bsd will let you shoot yourself in the foot. So you can do it there. But there are no firewalls that will allow this with out 2 interfaces. Most require 2 physical, but some will allow for 2 or more vlans. Again, do not do it. 16. aug. 2014 22:13 skrev "Adam Thompson" <[email protected]> følgende:
> On 14-08-16 01:13 PM, Espen Johansen wrote: > > You would have to do a major code rewrite to get this done. And it would > be insecure and it would make no pf sense :-) this is network basics. You > dont seem to understand some network fundamentals. Sorry but this is not > doable without using vlans or 2 physical interfaces. > 16. aug. 2014 20:06 skrev "Bob Gustafson" <[email protected]> følgende: > >> I'm interested in doing it all within the Alix using pfsense. A minimum >> hardware approach. >> >> Think of my WAN mentioned below as the LAN network created by the >> modem/router furnished by the ISP and the LAN mentioned below as devices >> also connected to the back end of the modem/router, but not accessible by >> the modem/router. Only by LAN/pfsense. >> >> Bob G >> >> I would like to pass WAN packets (192.168.1.0/24) and LAN packets ( >>> 192.168.2.0/24) through the same connector. >>> >>> pfsense would provide the NAT and firewalling within the box. >>> >> > To clarify Espen's comments : yes, it is possible to run two subnets on > the same wire. > Any _router_ can route between two subnets on the same wire (or the same > VLAN, same thing - technically the same "broadcast domain"). > A _firewall_, however, will refuse to do so because it's nonsensical from > a security perspective. > So pfSense is a router, yes, but it is also a firewall, and in areas where > those two roles conflict, the firewall role wins. > As previously pointed out, you can't usefully use pf(4) in the > circumstance you describe. > It is technically possible, on some platforms, to perform NAT between the > two subnets. It would be possible, AFAIK, to manually craft a pf rule that > does this; it is not possible to get the pfSense GUI to generate that > rule. That's where the "major code rewrite" comes into play. > > I'm not aware of any firewall GUI that will let you do this - and for a > good reason! By hooking your LAN up directly to the WAN, you're > effectively eliminating 99% of the security a firewall gives you. (And, > yes, it is possible to directly attack private IP addresses on most ISPs.) > > If you're determined to deploy this model, you'll have to run a bare OS > that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the > networking stack and NAT rules by hand. > > -- > -Adam Thompson > [email protected] > > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list >
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
