Thank you very much for your proposes!
After considering the two possibilities and checking them for usability
and flexibility we've decided to use the following configuration.
I am aware of the less security than in Christoph's solution.
Note: backbone = alias for 192.168.0.0/24
LAN, OPT1, OPT2, OPT3:
pass any from <if subnet> to <if subnet>
pass any from <if subnet> to backbone
reject any from <if subnet> to ! backbone (log)
pass any from backbone to backbone
reject any from backbone to ! backbone (log)
Just to make sure that everything what we need is included:
* Block access from one subnet to any other than backbone
* Block direct access to the Internet (only through proxy that lies
in the backbone)
* Allow all traffic within subnets or to the backbone
Two last questions, with the current rule set:
* Is there a chance of getting from the Internet through to one of
the "inner subnets" (e.g. lan, opt1-3)? With other words, are the
inner subnets more or less protected?
* Is there a chance of getting from one subnet into another? (I've
tried some simple tests and they were positive by the means of I
couldn't get through). I guess the second question somehow
includes the first one.
Thank you once again for your support,