Ulrik Lunddahl wrote:
> James W. McKeand wrote:
>> If my assumption about the Alias is true. You could also go the
>> other direction and assign a /23 subnet to the network alias. Then
>> you could still use a /24 on the PROJ# subnets.
> I think you are right here, but i wanted this:
> 1. Allow LAN -> WAN
> 2. Allow OPT1 -> WAN
> 3. Allow OPT2 -> WAN
> 4. Deny all
> As i can see your solution allows trafic between OPT1 and OPT2,
I guess it would help to add a block rule before the allow rule on
each PROJ interface. Something like:
Source: PROJA Subnet
Source port range from: any
Destination: PROJB Subnet
Destination port range from: any
Description: Block PROJA -> PROJB
So, assuming no other rules for NAT or such. Each of the PROJ#
interfaces will have a block rule with the "other" PROJ subnet as the
destination and an allow rule with any except LAN as the destination -
in that order. (remember first matched rule wins)
> I can make a rule like Allow * * from LAN to OPT1, but why can't i
> make an Allow * * from LAN to WAN ? Is there any technical reason
> this ?
The default rule on the LAN interface is to allow from LAN to any. To
limit the access from LAN to OPTn you need inverted rule "allow to all
but..." My idea to use a supernet (might be wrong term) to join the
adjacent subnets and allow traffic to all but the joined subnets.
I do not know why WAN is not a choice in the dropdown for
source/destination on rules. I think it may be to prevent rules that
would affect normal IP routing. I can picture in my mind how a rule
with a destination of WAN subnet would affect routing. But, I am
having trouble finding the words to express it. Let me think on it
over a beer - I will try to follow up tomorrow.
I hope this is helping, I don't have a quick way to test a config with
more than 3 NICs - most of this is in the theory spectrum. Can anyone
verify this theory?
James W. McKeand