Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Opinions Requested: Rules for Transit Networks

    Firewalling
    2
    2
    246
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pokrifchakd
      last edited by

      I'm curios as to what the community thinks about firewall rules placed on transit networks between local routers/firewalls. Do you place an allow any any rule and let the rules on the subnet interfaces handle things, or do you tailor what subnets and ports are allowed across the transit link?

      Personally, I'm leaning towards opening up the transit links for rule simplicity, as the dynamic routing drives the number of combinations/permutations quite high.

      For context, here's the network I'm working with, with a focus on the 10.10.111.x links:
      Router Interlinks-Current Design.jpg

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @pokrifchakd
        last edited by

        @pokrifchakd Very much depends on your level of control on both ends of the transit network.
        If I have full control of both ends (and the interfaces there), I use ANY-ANY for transit and control access directly at the clientfacing interfaces.

        If I do not have full control of one end, I use the incoming interface on the transit link at the other end as a "defacto" client filtering interface.

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 2
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.