All these issues have been fixed. Please wait until the next version. On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > Hi, > > I've recently tried number of variants of setting pfsense in Bridging > mode of my small subnet and I guess here is the state of things as it is > now. > > Scott was going to fix some of these issues but I guess it is good to > summarize them anyway. > > So running in bridging mode you set 111.111.111.154/29 as IP on your > WAN interface. Your options for LAN are > > 1) Set LAN ip empty. > You're allowed to set IP empty but this breaks a lot of rules in pf > tables, as lan IP does not exist any more. And check does not seems to > present. > > 2) Set lan IP address to be the same as WAN IP. This is also allowed, > but It breaks "wan spoof protection" rule which does not seems like can > be disabled. I was told "Block traffic from private networks does it" > but by my tests it does not. > > 3) Set lan IP address to be some fake one, I used 10.25.15.1. > In this case it is the closet to be functional. It however does not > identify LAN subnet right so firewall rules which include lan subnet do > not work. There are some lesser items such as lockout protection does > not work and this kind of stuff: > > (All these rules have LAN wrong) > > nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 > nat on em0 from 10.25.15.0/29 to any -> (em0) > pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = > 67 label "allow access to DHCP server on LAN" > pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = > 68 label "allow access to DHCP server on LAN" > block in log quick on em0 from 10.25.15.0/29 to any label "WAN spoof > check" > block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 > port = 68 label "allow dhcp client out wan" > pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label > "anti-lockout web rule" > > > > > How I would expect it to work ? > > Leave it empty or set it same as WAN I think one or another should be > made to work. Wan spoofing should not be enabled in such case and LAN > network should be made identified correctly for setting firewall > rules. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
