Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to restrict certain IP addresses to a specific interface on a bridge?

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 531 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ConfusedUser
      last edited by

      Hi All,

      I have a scenario where I have a LAN and DMZ bridged which is very uncommon but both have to share the same network address for licensing reasons (this network was originally built as flat switched network without DMZ). I still need rules between the partly exposed server and the clients and therefore I created a filtering bridge.
      I have never used a filtering bridge before as normally I would always use different networks and route between them for proper DMZ functionality but I can't do it in this case.

      Now there is a server sitting in the DMZ, address for example 192.168.100.10, only device on the DMZ interface, network 192.168.100.0/24.
      On the LAN interface the rest of the clients is located, network is also 192.168.100.0/24.
      I set up incoming NAT rules and rules between the LAN and the DMZ - all works as expected.

      There is one thing I haven't found out yet: How can I restrict IP addresses to a certain "side" of the bridge? In this case: How can I ensure that 192.168.100.10 will always be forwarded to the DMZ interface and never to the LAN interface? When everything is working normal there is no reason for this restriction because the ARP table do the job but let's imagine someone on the LAN side of the bridge sets up a second IP address on a local PC interface with 192.168.100.10. How can I prevent that any traffic from the WAN will be forwarded to that spoofed IP address?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.