Well my purpose is bridged firewall (filtering bridge).
The way filtering bridge would work (AFAIK) is "put 2 interfaces, into
bridged mode, ipless and connect them in the midle of your LAN - Router
The third interface is there only for sake of administering firewall via WEB
interface. As i understand it this is how Bruce designed the whole filtering
bridge thing here. Or maybe not :).
OPT1 is not DMZ for me, and my LAN is network of public IPs, so i'm not
concerned with that (i.e. security) right now :) There aren't any servers
that would be conected via OPT1.
I'd be more than happy to use only 2 interfaces, put them into bridged mode
and get away with it. But u can't bridge WAN and LAN as it is right now.
I'll be working on that when i have time, but thought i'd use what it is and
the way it's supposed to work right now
----- Original Message -----
> OPT1(bridged, ipless) and LAN are on same switch.
Ouch! Kinda defeats the purpose of having a separate optional
interface, doesn't it? If one of your servers is compromised -> voilà,
instant full access to your LAN.
> Access to web interface from some computer on LAN sometimes timeouts
> and is
> slow. If i disconnect OPT1 from switch, everything is allright.
So just do it the right way and use a separate switch, so having a
separate optional interface will actually make sense. ;)
> please try this patch (provided by jlemon)
FreeBSD 4.9 already has this patch. FreeBSD's ARP gets majorly confused
if it finds two interfaces connecting to the same broadcast domain (I
can't blame it, either - a setup like that just doesn't usually make