Possible to restrict certain IP addresses to a specific interface on a bridge?



  • Hi All,

    I have a scenario where I have a LAN and DMZ bridged which is very uncommon but both have to share the same network address for licensing reasons (this network was originally built as flat switched network without DMZ). I still need rules between the partly exposed server and the clients and therefore I created a filtering bridge.
    I have never used a filtering bridge before as normally I would always use different networks and route between them for proper DMZ functionality but I can't do it in this case.

    Now there is a server sitting in the DMZ, address for example 192.168.100.10, only device on the DMZ interface, network 192.168.100.0/24.
    On the LAN interface the rest of the clients is located, network is also 192.168.100.0/24.
    I set up incoming NAT rules and rules between the LAN and the DMZ - all works as expected.

    There is one thing I haven't found out yet: How can I restrict IP addresses to a certain "side" of the bridge? In this case: How can I ensure that 192.168.100.10 will always be forwarded to the DMZ interface and never to the LAN interface? When everything is working normal there is no reason for this restriction because the ARP table do the job but let's imagine someone on the LAN side of the bridge sets up a second IP address on a local PC interface with 192.168.100.10. How can I prevent that any traffic from the WAN will be forwarded to that spoofed IP address?