Help needed on filtering bridge rules
-
Hello all, first time I'm implementing a filtering bridge with 2.5.0 CE and need some advice to figure things out.
This is a 3-segment network, LAN, DMZ, and WAN, all bridged to an OPT1 interface, as per the instructions in https://forum.netgate.com/topic/46137/pfsense-2-0-transparent-firewall-firewall-bridge
In my implementation the only difference is that since I do not want the device to be accessed from DMZ and WAN, I've assigned the management ip to the LAN interface.
All segments are inside the same 10.x.0.0/16 network, which I'm trying to "segment" using pfsense. Of course I've disabled RFC1918 blocking.
What I want to do is filter access to hosts in the DMZ, in a granular way. As an example, I want to allow access to a port 443 of a DMZ host A, when access is made from the LAN side of the bridge only
In essence, if this was a normal/routed firewall, I'd have a firewall allow rule on the LAN interface
In a bridged mode it feels as if something is missing (most likely a "feature" of bridging). I thought of implementing an allow rule on the OPT interface as allow on OPT1 TCP from "LAN net" to <host A> ports 443. This translates to:
pass in quick on bridge0 inet proto tcp from 10.x.0.0/16 to <host A> port = https flags S/SA keep state
Problem here is that the bridge is immersed in this 10.x.0.0/16. IOW, the above rule would allow (if I understand correctly) a host with a 10.x.0.0/16 ip residing in anywhere, including WAN to access host A/443.
Can someone provide some advice here on how I could implement this rule to perform as I intent (and possibly "pairwise" rules, like DMZ<->WAN, LAN<->WAN etc) ? That is apply only when it arrives on LAN1?
Thanks in advance for any information provided!