WAN / OPT Bridging - firewall rules - clarification
I have some questions regarding bridging the WAN on 2.0.3.
My goal is to be able to send all traffic destined for certain public IPs out to VLAN 1120 for assignment to customer router WAN ports anywhere on the campus. I only want traffic for a subset of public IPs to be forwarded to VLAN 1120, not everything on the WAN. It would also be great if traffic coming in from VLAN 1120 that was not sourced from this subset of public IPs was dropped.
I also want the LAN port to have traditional NAPT internet access.
I have done the following:
Interface ifname Characteristics
COX_WAN bge0_vlan1000 Type: none, Tagged VLAN 1000 to Metro Ethernet
INSIDE_WAN bge1_vlan1120 Type: none, Tagged VLAN 1120 to inside switch trunk port
WAN bridge0 Type: Static, 184.108.40.206/28, Members: COX_WAN, INSIDE_WAN
LAN bge1_vlan1199 Type: Static, 172.21.199.1/24, DHCP Server, DNS Forwarder, Etc.
I have a /28 from Cox to utilize. 220.127.116.11/28. Of that, I want to reserve the last 4 addresses for these assignments so I created a firewall alias:
I have these System Tunables set:
This is where I get foggy. I am having a hard time wrapping my head around what rules need to go where on the bridge/bridge members and upon what traffic they operate. The rules on the WAN (bridge0) seem to be functioning as expected with regard to the traditional NAPT for the LAN.
Here are the rules I currently have:
udp 1194 from any to WAN address # For OpenVPN for Management
icmp from any to WAN Net # Want to be able to ping public IPs
COX_WAN (Cox Metro E)
all from any to cust_public_ips
INSIDE_WAN (VLAN 1120 to customer router WAN ports)
all from cust_public_ips to any
Which rules actually operate on traffic coming into WAN/COX_WAN from the Metro E? The ones on WAN, COX_WAN, or Both?
It appears to me that the rules on bridge0 operate on traffic destined for its IP address and the rules on COX_WAN operate on everything else.
The rules on WAN (bridge0) appear to operate whether net.link.bridge.pfil_bridge is 0 or 1, which I find odd. For instance, if I disable/enable this rule:
Pass TCP * * 172.21.199.10 22
I appropriately cannot/can open an ssh session for which I have created a port forward in NAT.
Any clarity that can be provided would be welcome.