I have a small masquerade issue that is bothering me.
My setup is configured like this:
- bridge-lan (LAN) uses 10.40.116.1/24
- bridge-dmz (DMZ) uses 172.16.16.1/24
- ether8 (WAN) uses x.y.z.w from my ISP's DHCP
Yet I can connect from any IP in 10.40.116.0/24 to any IP in 172.16.16.0/24 (the opposite is also true) with the router masquerading the IP as 10.40.116.1 (172.16.16.1 the other way around).2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
Is that the expected behavior?
Doesn't the masquerade rule explicitly state that only traffic to WAN should be allowed?
Any help would be greatly appreciated.