Bridge and firewall behavior confusion
-
Hi.
Tried to search the forum, but really don't know what to search for. So forgive me if this info already exists somewhere.
To give some context, here is my setup and what i'm trying to do:
- WAN
- Pfsense router
- WiFi Access point (NIC1, LAN)
- Web server (NIC2, HOSTING)
- Pfsense router
What i want is for the web server to be 'soft-isolated' from the rest of the LAN - what i mean by that is that HOSTING should not be allowed to reach anything on LAN, but LAN should be allowed to initiate e.g. an SSH connection to the web server on HOSTING. So my idea is to bridge LAN and HOSTING and use net.link.bridge.pfil_member = 1 and net.link.bridge.pfil_bridge = 0 so I can filter per interface and achieve what I want.
Here comes the confusion. Here is the ONLY firewall rule i have set up on HOSTING.
Allow IPv4 UDP from 0.0.0.0:68 to 255.255.255.255:67 (Allow DHCP since DHCP runs on LAN)On LAN i have rules that allow me to reach the web server. So I can SSH into the web server and try to ping something on LAN which I cant (so the isolation part works). But I CAN however ping something on the internet - this I don't understand as I have not yet defined any rule on HOSTING that allows this.
I hope someone could shed some light on how this is possible. Also, is my approach for achieving this isolation sound?
- WAN