Filtering IP's in bridge mode
-
VLANs could work. You should also be able to keep the management on a separate physical interface by bridging two VLANs on the WAN physical for the transparent, filtering bridge.
You will probably also want to set a default gateway and DNS server to something on the LAN so the unit can resolve names and get to the internet. pfSense these days kind of needs that for updates, packages, etc.
It would probably be several steps, and require a managed switch (or three ports and two unused VLANs on an existing switch), to get to where I would want it:
-
Tag two VLANs on WAN
-
Bridge the two VLAN interfaces
-
An untagged port on each VLAN on the switch would be the inside and outside ports of the filtered bridge. A port with both VLANs tagged would go to pfSense WAN
-
Set WAN to IP Address None/None and delete the gateway from the interface. This can probably even be disabled.
-
Create a gateway on LAN that points to the edge routed gateway for internet. Set it as the default gateway in pfSense. Think of pfSense LAN as another inside device here. Don't set a gateway on the LAN interface config.
-
Set at least one DNS server in System > General that the firewall itself can use to resolve names.
I might be missing something but I think that should generally work. There should be no problem with the traffic volume you are expecting on the SG-1000. Any managed switch should do. Something like a D-Link DGS-1100-08 (about $35 US) would be more than enough. JSYK I have never actually built one like that. There might be a couple other things that need to be done. Interesting use case for an sg-1000.
-
-
I'm using a 2 port 2220 in a bridged setup and have assigned an IP address to the Bridge IF for management. I filter on the Bridge IF instead of the members.
What would be the benefit of assigning a Management VLAN - vs - using the Bridge IF for Management ?
As for filtering BingoWasHisName could also use pfblockerNG to block entire country ranges -or better whitelist a selected country to reduce the number of brute force attacks.
-
Because the management IP address in his case will be a WAN address. There is simply no need to hang the management interface out on the public internet.
An inside management address would be far superior in that case.
There is currently no firewall between the pbx device and the internet to run pfBlocker on.
-
Well, some of this is getting out of my pay grade :) I think I am getting the gist of it though and I'm sure it will make more sense when I actually try to configure it.
So is gcu_greyarea suggesting that a higher end appliance will be able to work in bridge mode and provide enhanced filtering by blocks of IP's? What is "Bridge IF"?
Sorry for the ignorance
-
Thanks Derelict for your reply.
@ BingoWasHisName - As far as I understand it you won't need a "high end" appliance. An appliiance with 3 ports might suit your requirements better as it would be easier to setup. E.g. you could use one port as a management interface.
As far as "enhanced filtering" is concerned I was referring to pfblockerNG, which would allow filtering based on geography (via maxmind). I don't know if this package is available on ARM(SG-1000).
"Bridge IF" means bridge Interface. E.g. In my config I have assigned an IP addres to the LAN-WAN bridge, which is ok because it is behind my iSP provided router and not exposed to the public. -
Couldn't a USB ethernet adapter be used for management via the USB OTG port?
-
A VLAN would be better than USB.
-
Obviously, but a USB adapter is a lot cheaper than a managed switch.
-
Managed switch is $35 US. Spending a couple extra dollars to NOT use a USB adapter is probably worth it. It would be to me.
-
Interesting, seems I'm well out of date on managed switch pricing. I had no idea you could get tiny 5 port models now for peanuts.
