Dear colleagues,
I have various network appliances that I don't really trust, like
a printer. I have these plugged into an unmanaged switch and
connected to network interface igc2.
I want to allow the igc1 network to make web requests to the igc2
network, and I want the igc2 network to have very restricted access
outside of igc2.
(My main computer is connected to network interface igc1.
And the egress interface is igc0.)
MY QUESTION: What would be a normal way of achieving this?
For further clarification, I provide what I have tried so far that
did not turn out as I wanted.
I tried with bridging igc1 and igc2 and setting tags
in hostname.igc{1,2}. I configured the bridge as specified
in the FAQ except I also added lines like this
in /etc/hostname.bridge0.
rule pass in on igc1 tag white
rule pass in on igc2 tag yellow
(The tag names are the colors of the ethernet cables.)
The bridge worked exactly like I expected except that it seemed
tags weren't applied, based on what I saw in pfctl and tcpdump.
Since the tags weren't applied, I couldn't restrict
the communication as I wanted.
I also tried setting different subnets.
/etc/hostname.igc1:
inet 192.168.2.1/24
/etc/hostname.igc2:
inet 192.168.3.1/24
With this everything works as I want except that
the only way I figured out to allow hosts on 192.168.2.1/24
to access 192.168.3.1/24 was with NAT, and that can't be right.
With appreciation,
Ibsen
