what I need to do is let pass anything that is comming from WIFI Switch without restriction EXCEPT the traffic destined for several machines in the WAN Switch
My configuration looks something like this:
|NAS DEVICE|<---> xl2 <-- BRIDGE--> fxp0 <--> |WIFI_SWITCH|
wifi_ext_if = "xl2" wifi_int_if = "fxp0"
#
# Pass all traffic from wifi_ext_if to wifi_int_if to filter in that one.
#
pass in quick on $wifi_ext_if all
pass out quick on $wifi_ext_if all
pass in on $wifi_int_if all pass out on $wifi_int_if all
servidores = "{ 1.2.3.4, 4.3.2.1, 1.2.3.5 }"
block out log on $wifi_int_if proto tcp from any to $servidores port { 135, 137, 138, 139, 1443 }
block out log on $wifi_int_if proto udp from any to $servidores port { 135, 137, 138, 139 }
It sounds like you want these rules to be for $wifi_ext_if, or in the other direction. If the wifi clients are trying to contact $servidores, packets to $servidores will come in on $wifi_int_if and go out on $wifi_ext_if.
