Hi,
I am actually know designing the firewall my company would run through,
I basically need to masquerade internal 192.168.x.x network to the
outside world, and screen a lan of public ip addressed servers so they
can access and be accessed from the outside. My question is, which is
the best approach, a transparent filtering bridge on the wan interface
so public ip addressed servers are accesed on my rule basis or directly
ip firewall which screens the wan.
In the second scenario I am not sure if I should have to assign public
ip addresses to both interfaces (the one that comes from the internet
and the one that goes to my lan segment)?, I think this is a waste of ip
address space because I plan to have a pfsync + CARP configuration, so
in this case I should waste 4 IP addresses (for a two node firewall)?,
is there any way I could assign one IP address to both nic's (the
internet and the lan side)? maybe a bridge in this scenario that on the
"internal" side has the public IP address could work, and in that way I
would use only two ip addresses for my two node configuration.
I also thought when considering my fault tolerant requirements tweaking
a bit with a two node firewall in bridge mode (ip-less) and using STP
max age, hello time and forward delay soy the could be a kind of fault
tolerant bridges... using pfsync though an internal lan directly connected.
Any ideas?
Thanks :)
