NGNIX Errors?
-
OK, the interface assignments and bridge config look good.
Since you have pass-all rules on the bridge and the members all traffic should pass between hosts on any of those.
Do you see anything blocked in the firewall log?
I meant the NAT rules you said you had to add.
Steve
-
I apologize if I'm getting terms crossed.
The only direct NAT rules I've made are the outbound rules for the Nintendo devices. Followed the Netgate document step by step for the static port, changed to Hybrid, etc.
I did not initially make those Firewall Rules for each NIC. I expected as you've said they're all one big happy "bridge", should talk to each other.
Didn't and won't.
I'm not saying that's the correct way to set it up. Just that's what I had to do.
My Port Forwarding information in the NAT tab is empty by the way.
Without those Firewall Rules the Firewall Log fills with blocked entries to the various devices.
Here's those outbound rules.
-
Ok, did you set the bridge sysctls to moved filtering the bridge interface?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewallingDid you reboot after doing that?
With those set you should only need rules on the bridge interface, LAN here. Otherwise, by default, the bridge filters on the member interfaces so you would need pass rules om all of them.
Steve
-
I don't recall doing so. I'll hit that document now.
-
The source in those outbound NAT rules should be internal private IPs. There's no real need to obscure those.
-
I did not do anything with System Tunables when making the bridge. Can do so now, booting might have to wait. Wife watching Thursday Night Football via streaming on Fubo.TV.......
These are the current entries:
net.link.bridge.pfil_onlyip Only pass IP packets when pfil is enabled 0
net.link.bridge.pfil_member Packet filter on the member interface 1
net.link.bridge.pfil_bridge Packet filter on the bridge interface 0"At least one of these must be set to 1"
One of them is set to 1 already????
All of them to "1"?
-
It depends where you want to filter but usually in that sort of setup where you're effectively wanting to use the NICs as switch ports you would set filtering to the bridge interface and not the member interfaces. You can filter in both places if you need to. But wherever you have filtering enabled you will need appropriate firewall rules to pass the traffic.
Steve
-
I understand that A+B=C. The Firewall Rules I figured out are okay, even if I change Tunables, the Bridge would need a Firewall rule.
What do I set the Tunables to? All of them to 1?
The document says at least one of them. I already have one of them set to 1.
Do I change the member filter that is “1” to “0” and the ones that are “0” to “1”?
Is that what is meant by at least one of them has to be “1”? Whichever you set to “1”, set the other to “0”?
-
You should leave net.link.bridge.pfil_onlyip set to 0.
Then either net.link.bridge.pfil_member or net.link.bridge.pfil_bridge (or both) should be set to 1 depending on where you want to filter traffic.
-
I tested and answered my own question as well.
Member one set to 1 still need my NAT Rules.
It set to 0 and the bridge one set to 1, don’t need them, just need the Bridge/LAN NAT rule.
I figured the IP one leave at 0. If to 1 guessed it would cut off TCP/UDP, etc.
Not to lose track of where this started.
No more NGNIX error messages.
Getting a bunch of WAN blocked in Firewall Log now.
-
@stephenw10
Thanks for all your help.Merry Christmas.
-
This post is deleted! -
@jsmiddleton4 said in NGNIX Errors?:
Member one set to 1 still need my NAT Rules.
It set to 0 and the bridge one set to 1, don’t need them, just need the Bridge/LAN NAT rule.I think you mean firewall rules here.
The NAT rules should not change.@jsmiddleton4 said in NGNIX Errors?:
I figured the IP one leave at 0. If to 1 guessed it would cut off TCP/UDP, etc.
Yeah leave that as 0. It wouldn't block TCP/UDP, because that runs over IP, but it would block netbios, appletalk etc, non-IP protocols. You are probably not using any but if you are that will be blocked and troubleshooting it is..... challenging!
Steve
-
Yes Firewall Rules.
I don’t think my AppleTV’s, iPAD or iPHONES use Apple Talk. Might.
Now on to other questions. Thanks again. Cleaned up some of the network routing and was able to eliminate both Netgear switches in two person office.
Added UPS’s to each work station and to the “Internet” station, the router, modem, wireless AP.
Power rarely goes out here but it does once and awhile.
Employer gets a tad annoyed when everyone disappears.
Thanks again. NOW my Firewall is doing what its supposed to do for WAN side. Lots of blocking going on.
I've installed and configured the UPS package. Need to figure it out though.
