Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN / OPT Bridging - firewall rules - clarification

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      I have some questions regarding bridging the WAN on 2.0.3.

      My goal is to be able to send all traffic destined for certain public IPs out to VLAN 1120 for assignment to customer router WAN ports anywhere on the campus.  I only want traffic for a subset of public IPs to be forwarded to VLAN 1120, not everything on the WAN. It would also be great if traffic coming in from VLAN 1120 that was not sourced from this subset of public IPs was dropped.

      I also want the LAN port to have traditional NAPT internet access.

      I have done the following:

      Interface        ifname            Characteristics
      COX_WAN      bge0_vlan1000  Type: none, Tagged VLAN 1000 to Metro Ethernet
      INSIDE_WAN    bge1_vlan1120  Type: none, Tagged VLAN 1120 to inside switch trunk port
      WAN              bridge0            Type: Static, 24.120.64.146/28, Members: COX_WAN, INSIDE_WAN
      LAN                bge1_vlan1199  Type: Static, 172.21.199.1/24, DHCP Server, DNS Forwarder, Etc.

      I have a /28 from Cox to utilize. 24.120.64.144/28.  Of that, I want to reserve the last 4 addresses for these assignments so I created a firewall alias:

      cust_public_ips
      24.120.64.155/32
      24.120.64.156/32
      24.120.64.157/32
      24.120.64.158/32

      I have these System Tunables set:

      net.link.bridge.pfil_member:  default(1)
      net.link.bridge.pfil_bridge:  1

      This is where I get foggy.  I am having a hard time wrapping my head around what rules need to go where on the bridge/bridge members and upon what traffic they operate.  The rules on the WAN (bridge0) seem to be functioning as expected with regard to the traditional NAPT for the LAN.

      Here are the rules I currently have:

      WAN (bridge0)

      udp 1194 from any to WAN address  # For OpenVPN for Management
      icmp from any to WAN Net          # Want to be able to ping public IPs

      COX_WAN (Cox Metro E)
      all from any to cust_public_ips

      INSIDE_WAN (VLAN 1120 to customer router WAN ports)
      all from cust_public_ips to any

      Which rules actually operate on traffic coming into WAN/COX_WAN from the Metro E?  The ones on WAN, COX_WAN, or Both?

      It appears to me that the rules on bridge0 operate on traffic destined for its IP address and the rules on COX_WAN operate on everything else.

      The rules on WAN (bridge0) appear to operate whether net.link.bridge.pfil_bridge is 0 or 1, which I find odd.  For instance, if I disable/enable this rule:

      WAN/bridge0
      Pass TCP * * 172.21.199.10 22

      I appropriately cannot/can open an ssh session for which I have created a port forward in NAT.

      Any clarity that can be provided would be welcome.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.