Transparent Bridge Filter Confusion
-
I am new to pfSense, and I am trying to install and set up a transparent bridge on a Nokia IP130. The install was without issue but I am confused with respect to transparent bridge filtering. Some documents indicate filtering is to be done on the bridge interface and not the bridge member interfaces, and other documents/posts reference the default of filtering on the bridge member interfaces. I have bridged the WAN and OPT interfaces, neither of which is to have an IP address. The LAN interface is my management interface - it has a static IP.
Could someone please enlighten me with respect to the following:
1. Under what conditions/requirements would I filter on the bridge interface?
2. Under what conditions/requirements would I filter on the bridge member interfaces?Thanks,
-
1. Under what conditions/requirements would I filter on the bridge interface?
2. Under what conditions/requirements would I filter on the bridge member interfaces?1. You want the common filtering on all bridge members, for example, wired LAN and WiFi should both have full access to the other.
2. You want different filtering on each member of the bridge interface, for example, in your configuration you might want to block pings arriving on "WAN" and pass pings arriving on OPTx. -
In a transparent bridge setup you would normally leave filtering on the member interfaces (the default position).
This is because traffic will mostly flow across the bridge only and not from the bridge to separate interface. However, as Wallabybob says, if you have further interfaces not included in the bridge you may want to enable filtering on the bridge interface to simplify the firewall rules.Steve
-
Thanks for the enlightenment!
Then as I understand it, I set up rules on my OPTx and WLAN interfaces for traffic passing between these interfaces since I have bridged these interfaces. However, since the LAN interface is my management interface I can set up filtering on the bridge interface for any traffic between the OPTx-WLAN bridge and the LAN interface?
-
Yes, providing you have modified the appropriate sysctl to enable it.
Steve