> You're missing the entire point. If you have one switch, VLAN 2 is > your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 > and 3 untagged on the same port... there ya go. From there the amount > of damage possible and ease of it happening depends on what kind of > Internet connection you have.
You lose me right where you say "... there ya go". How do you propose to get your malicious traffic to my vulnerable host? Yes, it's now on the same layer 2 domain - but I'm not sure how that can be exploited by an external attacker. Think of it this way, if you'll accept an analogy: I have a router that passes 1.1.1.0/30 to my firewall's WAN port. 1.1.2.0/24 is routed to that IP, so my LAN interface is 1.1.2.1, and I have a host at 1.1.2.2. I remove the firewall from the equation and plug my router straight into my LAN's physical network. Find a way to ping 1.1.2.2. You can't. My network is, for all external intents and purposes, down. My hosts can't route out. You can't route in, because my router's sending packets to 1.1.1.1, which is down. Your attack is thwarted by the way that layer 3 works. Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. What I'm trying to point out is that there is a difference between real and false security. I don't see a clear, enumerable threat, or any conditions that I, an attacker, could use to break in. There's a lot of real security work to do; work that can be explained in terms of technically possible/probable vectors. Whenever someone says "this makes you more secure", I like to ask "Is that true? And if so, what makes it true?". So, what makes your claim, that using VLANs on the same switching fabric for both interfaces of a firewall allows the network the firewall protects to be exploited, true? Best Regards, Nathan Eisenberg --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
