WAN / OPT Bridging - firewall rules - clarification


  • Netgate

    I have some questions regarding bridging the WAN on 2.0.3.

    My goal is to be able to send all traffic destined for certain public IPs out to VLAN 1120 for assignment to customer router WAN ports anywhere on the campus.  I only want traffic for a subset of public IPs to be forwarded to VLAN 1120, not everything on the WAN. It would also be great if traffic coming in from VLAN 1120 that was not sourced from this subset of public IPs was dropped.

    I also want the LAN port to have traditional NAPT internet access.

    I have done the following:

    Interface        ifname            Characteristics
    COX_WAN      bge0_vlan1000  Type: none, Tagged VLAN 1000 to Metro Ethernet
    INSIDE_WAN    bge1_vlan1120  Type: none, Tagged VLAN 1120 to inside switch trunk port
    WAN              bridge0            Type: Static, 24.120.64.146/28, Members: COX_WAN, INSIDE_WAN
    LAN                bge1_vlan1199  Type: Static, 172.21.199.1/24, DHCP Server, DNS Forwarder, Etc.

    I have a /28 from Cox to utilize. 24.120.64.144/28.  Of that, I want to reserve the last 4 addresses for these assignments so I created a firewall alias:

    cust_public_ips
    24.120.64.155/32
    24.120.64.156/32
    24.120.64.157/32
    24.120.64.158/32

    I have these System Tunables set:

    net.link.bridge.pfil_member:  default(1)
    net.link.bridge.pfil_bridge:  1

    This is where I get foggy.  I am having a hard time wrapping my head around what rules need to go where on the bridge/bridge members and upon what traffic they operate.  The rules on the WAN (bridge0) seem to be functioning as expected with regard to the traditional NAPT for the LAN.

    Here are the rules I currently have:

    WAN (bridge0)

    udp 1194 from any to WAN address  # For OpenVPN for Management
    icmp from any to WAN Net          # Want to be able to ping public IPs

    COX_WAN (Cox Metro E)
    all from any to cust_public_ips

    INSIDE_WAN (VLAN 1120 to customer router WAN ports)
    all from cust_public_ips to any

    Which rules actually operate on traffic coming into WAN/COX_WAN from the Metro E?  The ones on WAN, COX_WAN, or Both?

    It appears to me that the rules on bridge0 operate on traffic destined for its IP address and the rules on COX_WAN operate on everything else.

    The rules on WAN (bridge0) appear to operate whether net.link.bridge.pfil_bridge is 0 or 1, which I find odd.  For instance, if I disable/enable this rule:

    WAN/bridge0
    Pass TCP * * 172.21.199.10 22

    I appropriately cannot/can open an ssh session for which I have created a port forward in NAT.

    Any clarity that can be provided would be welcome.


Locked