I think it will work better with a "dummy" ip. But it will work without a ip as well now.
Scott On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > On Fri, 2005-10-28 at 12:11 -0400, Scott Ullrich wrote: > > All these issues have been fixed. Please wait until the next version. > > Sure. I'm checking mirrors and your home directory every day for new > stuff to try :) > > So what is going to be official way for bridging mode ? Is it no IP for > LAN or same as WAN ? > > > > > On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > I've recently tried number of variants of setting pfsense in Bridging > > > mode of my small subnet and I guess here is the state of things as it is > > > now. > > > > > > Scott was going to fix some of these issues but I guess it is good to > > > summarize them anyway. > > > > > > So running in bridging mode you set 111.111.111.154/29 as IP on your > > > WAN interface. Your options for LAN are > > > > > > 1) Set LAN ip empty. > > > You're allowed to set IP empty but this breaks a lot of rules in pf > > > tables, as lan IP does not exist any more. And check does not seems to > > > present. > > > > > > 2) Set lan IP address to be the same as WAN IP. This is also allowed, > > > but It breaks "wan spoof protection" rule which does not seems like can > > > be disabled. I was told "Block traffic from private networks does it" > > > but by my tests it does not. > > > > > > 3) Set lan IP address to be some fake one, I used 10.25.15.1. > > > In this case it is the closet to be functional. It however does not > > > identify LAN subnet right so firewall rules which include lan subnet do > > > not work. There are some lesser items such as lockout protection does > > > not work and this kind of stuff: > > > > > > (All these rules have LAN wrong) > > > > > > nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 > > > nat on em0 from 10.25.15.0/29 to any -> (em0) > > > pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = > > > 67 label "allow access to DHCP server on LAN" > > > pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = > > > 68 label "allow access to DHCP server on LAN" > > > block in log quick on em0 from 10.25.15.0/29 to any label "WAN spoof > > > check" > > > block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 > > > port = 68 label "allow dhcp client out wan" > > > pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label > > > "anti-lockout web rule" > > > > > > > > > > > > > > > How I would expect it to work ? > > > > > > Leave it empty or set it same as WAN I think one or another should be > > > made to work. Wan spoofing should not be enabled in such case and LAN > > > network should be made identified correctly for setting firewall > > > rules. > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
