How to enable "one-way mirror" between two LAN interfaces?



  • It seems that this should be easy to do, but I'm not getting it…

    One of my clients, a doctor, shares office space with another doctor.  They have separate office networks, on separate physical cable, with different subnets (ours is 192.168.254.0, theirs is 192.168.44.0).

    We use pfSense - a single WAN interface, LAN bridged with WiFi; they use a Linksys router and dognose what else.

    The offices need to share two items: a digital XRay station (an WinXP box running MSSQL server) with address 192.168.44.104, and a Brother network printer sitting next to it with address 192.168.44.6.  I need to have access to those two hosts from any host on our network, but I do NOT want to allow any other hosts on their network to talk to ours.  (I suppose they're trusting me not to exploit their network - and I won't - but I don't trust them, or at least I don't trust their users not to download malware.)

    I added a NIC to the pfSense box, set its IP address to 192.168.44.253 and turned DHCP off.  (They have their own DHCP server.)  I can ping both hosts from pfSense; what I can't figure out is any combination of rules that will allow me to ping from our network and reach those two hosts.  I've tried dozens of combinations; if necessary I can post some of them.

    Any ideas?  What am I forgetting?  Thanks!



  • The users in the other network have as default gateway their own linksys-router.
    You have to create a static route on this linksys-router pointing to the IP of your pfSense for your subnet.

    Another possibility would be to enable advanced outbound NAT and to NAT all traffic from your subnet to their subnet. Like this it would look like all traffic comes from the IP of your pfSense within their subnet.
    –> You can access everything on their network, but they dont even know that your network exists.

    Also you should not only have firewall rules in place so they cannot access your network, but also rules that you cannot access anything except what you have to access (the printer and the Xray).



  • "Gateway" was the key.  Silly of me to forget…

    I changed the two hosts' default gateway from the Linksys to the pfSense - for the WinXP I added the Linksys as a second gateway, for the Brother there isn't room.  Both hosts were apparently receiving pings/print requests/whatever, but didn't know how to reach the sender with a response.

    And yes, I added rules up the wazoo: my network can talk to those two addresses but nothing else on their network, and only those two hosts can talk to my network.
    It could be defeated by unplugging either host from their network and replacing it with a rogue machine with the same address; for the moment, however, I'm satisfied.


Log in to reply