Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help needed on filtering bridge rules

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 143 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reqman
      last edited by reqman

      Hello all, first time I'm implementing a filtering bridge with 2.5.0 CE and need some advice to figure things out.

      This is a 3-segment network, LAN, DMZ, and WAN, all bridged to an OPT1 interface, as per the instructions in https://forum.netgate.com/topic/46137/pfsense-2-0-transparent-firewall-firewall-bridge

      In my implementation the only difference is that since I do not want the device to be accessed from DMZ and WAN, I've assigned the management ip to the LAN interface.

      All segments are inside the same 10.x.0.0/16 network, which I'm trying to "segment" using pfsense. Of course I've disabled RFC1918 blocking.

      What I want to do is filter access to hosts in the DMZ, in a granular way. As an example, I want to allow access to a port 443 of a DMZ host A, when access is made from the LAN side of the bridge only

      In essence, if this was a normal/routed firewall, I'd have a firewall allow rule on the LAN interface

      In a bridged mode it feels as if something is missing (most likely a "feature" of bridging). I thought of implementing an allow rule on the OPT interface as allow on OPT1 TCP from "LAN net" to <host A> ports 443. This translates to:

      pass in quick on bridge0 inet proto tcp from 10.x.0.0/16 to <host A> port = https flags S/SA keep state

      Problem here is that the bridge is immersed in this 10.x.0.0/16. IOW, the above rule would allow (if I understand correctly) a host with a 10.x.0.0/16 ip residing in anywhere, including WAN to access host A/443.

      Can someone provide some advice here on how I could implement this rule to perform as I intent (and possibly "pairwise" rules, like DMZ<->WAN, LAN<->WAN etc) ? That is apply only when it arrives on LAN1?

      Thanks in advance for any information provided!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.