I presume your ISP gave you a tunnel network and a public /28, and
you're trying to use the IP's in the /28. Until recently, you had been
binding the tunnel network interfaces directly to your 'wan'.
You should probably be running a second router. The rationale is trust
levels. The first router can function as a DMZ four your hosts that are
on public interfaces. Because the trust levels between your public
subnet and your LANS are significantly different, you don't want a
configuration that opens your LAN to the world if you make a even the
most minor configuration error. Your second router can function as a
firewall for your user-LANs, and the firwall's WAN will be a LAN IP in
your public /30. You can still do multi-WAN on your firewall. Our DMZ
is served by a 6-interface Lanner FW-7541D which allows me different
policies for different physical interfaces.
The way you have drawn your sketch makes me think you conceptualize the
two ISP interfaces as being 'outside', and your 'lans' are 'inside'.
That idea is wrong, and will get you into trouble. To deliberately use
the language of that wrong concept, any interface allowed to talk to the
world (any) is completely and utterly "inside" (including your public
/28). This is true unless you carefully and iteratively block egress TO
any/every LAN,LAN2,Tunnel,VPN etc.. It is error-prone and fussy
especially as you add interfaces/VLANS/VPN's. You can simplify things
somewhat with floating rules and interface group rules, but the ease
with which it does something you don't expect is counter-intuitive.
Good luck.
On 2/10/2017 8:06 PM, Matthew Pounsett wrote:
vlan: 42 parent interface: em0
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
