Bridge LAN and DMZ for shaping purposes



  • Hi,

    I'm trying to limit download traffic on two interfaces, LAN and DMZ. The problem is that I don't want to limit the queues to a fixed bandwidth.
    I read that in order to do this I should bridge interfaces.
    I'm a little bit concerned about the security implications of this approach, what do you think? I think that an attacher on the server cannot sniff traffic on the LAN interface not routed to the DMZ, but I'm not sure.

    I defined the bridge and assigned it to a new interface. Do you think that the Traffic Shaper Wizard will work or I need to do something else?
    I have attached what I see in the interfaces definition.

    And what about using a limiter. Could it be used to achive the same result?

    Thanks,
    Stenio



  • Is there a reason why you can't treat this as a dual LAN setup, where the actual LAN is one network and the DMZ is another?

    What exactly are you trying to do and what is the problem you're having?



  • @Harvy66:

    Is there a reason why you can't treat this as a dual LAN setup, where the actual LAN is one network and the DMZ is another?

    Hi Harvy,

    Yes, there is: I would like to share the download bandwidth between the two interfaces.

    Thanks,
    Stenio


  • Netgate

    Say you assign the bridge an IP address of 192.168.0.1/23

    Put the LAN computers on bridge member LAN and the DMZ computers on bridge member DMZ.

    Make sure LAN computers are assigned addresses from 192.168.0.2 to 192.168.0.254 and DMZ computers are assigned addresses 192.168.1.2 - 192.168.1.254.

    Put a pass rule on the LAN member passing traffic from 192.168.0.0/24 to any.

    Put these rules on the DMZ member:

    pass source 192.168.1.0/24 to DNS, Certain LAN assets, ICMP to 192.168.0.1, whatever, etc, etc.
    reject source 192.168.1.0/24 dest 192.168.0.0/24
    pass source 192.168.1.0/24 any

    Put normal LAN-type rules on the bridge interface.

    You should then be able to shape on the bridge and even easily put DMZ and LAN in different queues based on subnet.

    Someone on the DMZ is prevented from just setting an IP in the LAN subnet and accessing LAN computers by the bridge member filters.



  • Derelict,

    Thank you very much for your answer.



  • @stenio:

    @Harvy66:

    Is there a reason why you can't treat this as a dual LAN setup, where the actual LAN is one network and the DMZ is another?

    Hi Harvy,

    Yes, there is: I would like to share the download bandwidth between the two interfaces.

    Thanks,
    Stenio

    Yes, seems I derped a bit there. I realized it when I read another post a few days later. Am I interested in how to best handle the issue of multi-lan where queues can't share interfaces. If there was a way, outside of yet another firewall, to have a single QoS queue for both Interfaces, that would make it simple.