I have some questions on the bridge SETUP. I use it to check my internet traffic for my public IP to block and firewall some traffic. One a our server does not accept the DSTNAT Translation because of too strange streaming IIS server....
I have 30 public IP with a /27 provided by my internet provider.
Currently I have a CCR1009-8G-1S-1S+, my configuration is like this:
- ETH1 Lan port /24 connected to my switch VLAN Users, assign IP 192.168.1.1/24
- ETH3 DMZ port /24 connected to my switch VLAN DMZ 172.168.1.1/24
- ETH5 Internet port /24 connected to my switch VLAN PUBLIC IPs, I assign only 3 PUBLIC IP .10, .11, .12
- Bridge Setup, I create a bridge with PORT ETH6/ETH7:
- ETH6 Internet port /24 connected to my switch VLAN PUBLIC IPs, nothing assigned on the router
- ETH7 Internet port /24 connected to my switch VLAN "BRIDGED", nothing assigned on the router
With enabling, IP Firewall from the Bridge SETUP, I can see all the traffic and block whatever I want from my firewall.
My questions are :
- As you can see ETH5 and ETH6 is behind VLAN Switch "Public IP", is it bad for spanning tree?
- do you suggested another optimization for bridge SETUP?
many thanks