Following up to my earlier email. I was expecting the bridge to act the same as on other OSs I'm currently using for firewalls (that is, once traffic hits the bridge it is not examined further just goes out the other end - a tunnel). However, it turns out I was misunderstanding how FBSD does bridging - examining the packets on the bridge itself as it if were a switch.
As a result I have had to resort to something I consider less than optimal. I've disabled the LAN interface and given br0 (the bridge) its IP address (for management access). I've set up firewall rules on br0 that only allow access from management hosts to the very limited set of management ports (all other traffic is blocked). This effectively puts the management interface "outside" the firewall but hopefully protects it sufficiently that isn't a totally bad thing. Does anyone have any comments/feedback on this solution for me? thanks, nomad _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
