On Fri, 2005-10-28 at 12:11 -0400, Scott Ullrich wrote: > All these issues have been fixed. Please wait until the next version.
Sure. I'm checking mirrors and your home directory every day for new stuff to try :) So what is going to be official way for bridging mode ? Is it no IP for LAN or same as WAN ? > On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I've recently tried number of variants of setting pfsense in Bridging > > mode of my small subnet and I guess here is the state of things as it is > > now. > > > > Scott was going to fix some of these issues but I guess it is good to > > summarize them anyway. > > > > So running in bridging mode you set 111.111.111.154/29 as IP on your > > WAN interface. Your options for LAN are > > > > 1) Set LAN ip empty. > > You're allowed to set IP empty but this breaks a lot of rules in pf > > tables, as lan IP does not exist any more. And check does not seems to > > present. > > > > 2) Set lan IP address to be the same as WAN IP. This is also allowed, > > but It breaks "wan spoof protection" rule which does not seems like can > > be disabled. I was told "Block traffic from private networks does it" > > but by my tests it does not. > > > > 3) Set lan IP address to be some fake one, I used 10.25.15.1. > > In this case it is the closet to be functional. It however does not > > identify LAN subnet right so firewall rules which include lan subnet do > > not work. There are some lesser items such as lockout protection does > > not work and this kind of stuff: > > > > (All these rules have LAN wrong) > > > > nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 > > nat on em0 from 10.25.15.0/29 to any -> (em0) > > pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = > > 67 label "allow access to DHCP server on LAN" > > pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = > > 68 label "allow access to DHCP server on LAN" > > block in log quick on em0 from 10.25.15.0/29 to any label "WAN spoof > > check" > > block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 > > port = 68 label "allow dhcp client out wan" > > pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label > > "anti-lockout web rule" > > > > > > > > > > How I would expect it to work ? > > > > Leave it empty or set it same as WAN I think one or another should be > > made to work. Wan spoofing should not be enabled in such case and LAN > > network should be made identified correctly for setting firewall > > rules. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
