On 09/05/2010 11:23 PM, Ron Lemon wrote:
I have 2 facilities that used to be connected via an IPSec VPN
Facility 1 had 2 networks 10.0.0.0/24 and 10.0.1.0/24. They are both
on the same physical wire, they each have their own NIC in pfSense
box. Users were either one or the other with a couple of people being
dual homed on both.
Now we get new facility 2 which is 10.0.2.0/24.
I connected Facility 2 via an IPSec tunnel to Facility 1 and allow
computers in the 10.0.1.0/24 network to talk to the machines in
Facility 2's 10.0.2.0/24 network.
All works great. Now we start to put through too much data for IPSec
tunnel to handle so we now have a dedicated PVLan circuit from
Facility 1 to Facility 2.
I have added a 3^rd Nic to my firewall in Facility 1 and assigned an
IP 10.0.2.253 to it. Now I can see all computers in Facility 1 from
Facility 2 and vice versa.
I still only want computers in facility 1 from 10.0.1.0/24 to see the
10.0.2.0/24. I do not want 10.0.0.0/24 to see any computer in the
10.0.2.0/24 network
On my LAN interface I have set rule #1 to block traffic from
10.0.0.0/24 to 10.0.2.0/24 but that did nothing. On my Facility 2
interface I put a similar block rule still to no effect.
With LAN interface, do you mean the interface connected to the
10.0.0.0/24 subnet or the 10.0.1.0/24 subnet ?
You have to set the block rule on the interface the traffic is coming in.
eg to block internet traffic from entering through the WAN interface,
the rules have to be defined on the WAN interface.
So to block traffic from 10.0.0.0/24 to 10.0.2.0/24 you have to add a
block rule on the interface with the 10.0.0.0/24 subnet.
(You may already know this but I couldn't find it in your message)
Hope it helps.
Regards,
Hans
