Dear colleagues,
I have various network appliances that I don't really trust, like a printer. I have these plugged into an unmanaged switch and connected to network interface igc2. I want to allow the igc1 network to make web requests to the igc2 network, and I want the igc2 network to have very restricted access outside of igc2. (My main computer is connected to network interface igc1. And the egress interface is igc0.) MY QUESTION: What would be a normal way of achieving this? For further clarification, I provide what I have tried so far that did not turn out as I wanted. I tried with bridging igc1 and igc2 and setting tags in hostname.igc{1,2}. I configured the bridge as specified in the FAQ except I also added lines like this in /etc/hostname.bridge0. rule pass in on igc1 tag white rule pass in on igc2 tag yellow (The tag names are the colors of the ethernet cables.) The bridge worked exactly like I expected except that it seemed tags weren't applied, based on what I saw in pfctl and tcpdump. Since the tags weren't applied, I couldn't restrict the communication as I wanted. I also tried setting different subnets. /etc/hostname.igc1: inet 192.168.2.1/24 /etc/hostname.igc2: inet 192.168.3.1/24 With this everything works as I want except that the only way I figured out to allow hosts on 192.168.2.1/24 to access 192.168.3.1/24 was with NAT, and that can't be right. With appreciation, Ibsen