Hi guys,
This one is really eating my lunch. =/
Here's the setup:
I have a cisco 2950T (2 gigabit ports) at the core of my network.
I have a bandwidth management system that works via a bridge (astroflowguard)
My new (shiny) firewall, powered by ROS 3.3, is physically connected via a trunk link to gigabit port 1 to the cisco 2950.
I'll give you a logical traffic flow for my current setup, then I'll give you the same for the setup I'll be implementing with this new firewall.
Current setup: Let's go from a client machine to the internet:
Client -> Wireless Bridge -> Internal Router (Run on a Cisco 3550) -> Bridged Bandwidth Management -> Firewall -> Internet
You can see that I have passed through 2 subnets before I even got to the internet, which is fine. Now, I am trying to install this new ROS firewall to closely approximate this current setup, but allow me to replace my Internal Router, and Firewall. So, here's my planned setup:
Client -> Wireless Bridge -> ( ROS Firewall (On vlan 60) -> ROS Firewall (Vlan 30) this is internal process) -> Bridged Bandwidth Management -> ROS Firewall (vlan 20) -> ROS Firewall (Vlan 10) again, an internal process) -> Internet
So, basically I'm using this ROS firewall as the core router of my network (typical router on a stick setup). The PROBLEM is that I can't figure out a rule to force traffic out of the internal process and onto VLAN 30 for processing by the Bandwidth Management System, which will then land back on vlan 20. All of the traffic stays internal to the device (since the routing and arp tables have all the answers).
I was thinking I could make a rule that said something like, "If the traffic is bound for x address, then output on this interface (or maybe go to x mac address?), instead of staying internal"
I'm not sure how to explain this better. Please, ask me questions. Any thoughts would be appreciated greatly!
Thanks!