|
||||||||||
Well my purpose is bridged firewall (filtering bridge). The way filtering bridge would work (AFAIK) is "put 2 interfaces, into bridged mode, ipless and connect them in the midle of your LAN - Router connection". The third interface is there only for sake of administering firewall via WEB interface. As i understand it this is how Bruce designed the whole filtering bridge thing here. Or maybe not :). OPT1 is not DMZ for me, and my LAN is network of public IPs, so i'm not concerned with that (i.e. security) right now :) There aren't any servers that would be conected via OPT1. I'd be more than happy to use only 2 interfaces, put them into bridged mode and get away with it. But u can't bridge WAN and LAN as it is right now. I'll be working on that when i have time, but thought i'd use what it is and the way it's supposed to work right now Thx, Hob ----- Original Message ----- > OPT1(bridged, ipless) and LAN are on same switch. Ouch! Kinda defeats the purpose of having a separate optional interface, doesn't it? If one of your servers is compromised -> voilà, instant full access to your LAN. > Access to web interface from some computer on LAN sometimes timeouts > and is > slow. If i disconnect OPT1 from switch, everything is allright. So just do it the right way and use a separate switch, so having a separate optional interface will actually make sense. ;) > please try this patch (provided by jlemon) FreeBSD 4.9 already has this patch. FreeBSD's ARP gets majorly confused if it finds two interfaces connecting to the same broadcast domain (I can't blame it, either - a setup like that just doesn't usually make good sense). - Manuel |