On Fri, 2005-10-28 at 13:05 -0400, Scott Ullrich wrote: > I think it will work better with a "dummy" ip. But it will work > without a ip as well now.
Hm. Dummy IP looks like ugliest and the most unintuitive solution. Also as I noted it results in few options breaking - anti lockout and stuff. If you'we fixed these to use WAN IP address in this case instead, I do not understand why do you need fake address at all. Practically speaking all rules with fake IP are broken and functionality which they expect to provide to provide does not work. Well. Anyway I'll just wait for new version and check how it works in all 3 cases. > > Scott > > On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > On Fri, 2005-10-28 at 12:11 -0400, Scott Ullrich wrote: > > > All these issues have been fixed. Please wait until the next version. > > > > Sure. I'm checking mirrors and your home directory every day for new > > stuff to try :) > > > > So what is going to be official way for bridging mode ? Is it no IP for > > LAN or same as WAN ? > > > > > > > > > On 10/28/05, Peter Zaitsev <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > > > > > I've recently tried number of variants of setting pfsense in Bridging > > > > mode of my small subnet and I guess here is the state of things as it is > > > > now. > > > > > > > > Scott was going to fix some of these issues but I guess it is good to > > > > summarize them anyway. > > > > > > > > So running in bridging mode you set 111.111.111.154/29 as IP on your > > > > WAN interface. Your options for LAN are > > > > > > > > 1) Set LAN ip empty. > > > > You're allowed to set IP empty but this breaks a lot of rules in pf > > > > tables, as lan IP does not exist any more. And check does not seems to > > > > present. > > > > > > > > 2) Set lan IP address to be the same as WAN IP. This is also allowed, > > > > but It breaks "wan spoof protection" rule which does not seems like can > > > > be disabled. I was told "Block traffic from private networks does it" > > > > but by my tests it does not. > > > > > > > > 3) Set lan IP address to be some fake one, I used 10.25.15.1. > > > > In this case it is the closet to be functional. It however does not > > > > identify LAN subnet right so firewall rules which include lan subnet do > > > > not work. There are some lesser items such as lockout protection does > > > > not work and this kind of stuff: > > > > > > > > (All these rules have LAN wrong) > > > > > > > > nat on em0 from 10.25.15.0/29 port 500 to any port 500 -> (em0) port 500 > > > > nat on em0 from 10.25.15.0/29 to any -> (em0) > > > > pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = > > > > 67 label "allow access to DHCP server on LAN" > > > > pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = > > > > 68 label "allow access to DHCP server on LAN" > > > > block in log quick on em0 from 10.25.15.0/29 to any label "WAN spoof > > > > check" > > > > block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 > > > > port = 68 label "allow dhcp client out wan" > > > > pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label > > > > "anti-lockout web rule" > > > > > > > > > > > > > > > > > > > > How I would expect it to work ? > > > > > > > > Leave it empty or set it same as WAN I think one or another should be > > > > made to work. Wan spoofing should not be enabled in such case and LAN > > > > network should be made identified correctly for setting firewall > > > > rules. > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
