Transparent firewall using layer 3 bridges
Hello pfSense Community,
I am seeking your advise on the proper approach and best practices to configure a pfSense router as a transparent firewall using layer 3 bridges. I have limited networking experience; so any advise pfSense specific or just networking in general is greatly appreciated.
I have searched the forums, various search engines, and read several recommended books seeking a clear answer to these questions. I have not been able to locate a specific example / tutorial / build book to show this configuration.
Please consider the diagram in the link below. It shows a high level network and information about logical interfaces, possible ip configurations, and desired firewall setup.
- There is a physical LAN and a wireless LAN
- Each LAN has two VLANS: 10 & 20
- Need to bridge VLAN10 on the physical LAN to VLAN10 on the wireless LAN (bridge0)
- And also, bridge VLAN20 on the physical LAN to VLAN20 on the wireless LAN (bridge1)
- Broadcast traffic between physical and wireless is a key business requirement
- Traffic will pass by default between physical and wireless within a respective VLAN (rules #4,5,8,9)
- Specific drop rules will be implemented to secure specific high security nodes (see #6,7 below)
- Hoping to add a single rule to represent both physical and wireless traffic for inter-vlan rules (rules #1,2,3)
(A) What is the proper way to setup the ip configuration? Option 1? Option 2? Something else?
(B) The objective of rules #1,2,3 is to provide the same rule no matter if the traffic originates from the physical or wireless – is this the right way?
(C) The solution must be able to log any traffic between physical and wireless LANs within the same VLAN / bridge. Of course, traffic is only logged when a matching log rule is applied. Does the recommendation from question A support this? If so, does the rule get applied to the bridge interface or the two vlan interfaces?
(D) In this scenario should a rule be applied to the bridge interface vs the vlan interface?
(E) In this scenario should net.link.bridge.pfil_member be disabled?
(F) In this scenario should net.link.bridge.pfil_bridge be enabled?
Link to diagram (page #2): https://docs.google.com/file/d/0B3wsw62g3AvnaE14WTJBQUY1RDg/edit?usp=sharing