Internal LANs isolation on transparent bridge mode
-
Hi,
I'm trying to set up a transparent filtering bridge on a ESX, I have two different VLANs (10 and 20), so I created two different bridge in pfsense. Everything seems to work except the isolation between the internal segments of the LANs. The PCs on different internal LAN can communicate to each other.===Schematic network topology
+---------------------------+ | | .10.1 | Bridge1 | .20.1 | +------+ +------+ | +----+ | |VLAN10+---------+VLAN10| | | GW | | +------+ +------+ | ++--++ | | | | +------+ +-----+ | | | | Bridge2 | | .10.2 | | .20.2 | | +------+ +------+ | | .10.3 .20.3 +-----+ | | +-----+ | | |VLAN20+---------+VLAN20| | | +-----+ +-----+ | PC1 | | | | PC2 | | | +------+ +------+ | | | PC3 | | PC4 | +--+--+ | | +--+--+ | | | | +--+--+ +---+-+ | | | | | +---------------------------+ | | | | | | | | | | | +--+----+-++-----+--+----+----+ +----+----+---+-----+------+--+ | | | | | | | | | VLAN 10 | VLAN 20 | Trunk | | Trunk | VLAN 10 | VLAN 20 | | | | | | | | | +---------+---------+---------+ +---------+---------+---------+ vSwitch1 vSwitch2===
The rules of the bridge interfaces are:
==PASS any from source 192.168.10.0/24 (Bridge1) / 192.168.20.0/24 (Bridge2)
==BLOCK anyThe PASS rules are necessary to let the packets from the internal segment of the LAN (vSwitch2) reach the external segment of the LAN (vSwitch1),
but it works in both way in case of bridge interfaces. So there will be also packets flowing througth the external segmet to the internal segment of the LAN,
but this is not an issue at the moment.Promiscuous mode is activated on the "trunk" portgroup of both the vSwitches (this is mandatory in case of bridging two vSwitches in ESX)
With the above settings this is what happens:
PC1 can ping PC2 (no bridges involved)
PC2 can ping PC1 (no bridges involved)PC1 can ping PC3 but can't ping PC4 (bridges involved and rules functioning)
PC2 can ping PC4 but can't ping PC3 (bridges involved and rules functioning)PC3 can ping PC1 and PC2 (bridges involved and rules functioning)
PC4 can ping PC1 and PC2 (bridges involved and rules functioning)PC3 can ping PC4 (bridges involved and rules NOT functioning)
PC4 can ping PC3 (bridges involved and rules NOT functioning)So the firewall doesn't block the traffic from the internal segment of LAN 10 to the internal segment of LAN 20 and viceversa.
I tried to put this rule in both the bridge interfaces:
==BLOCK any from 192.168.10.0/24 (Bridge2) / 192.168.20.0/24 (Bridge1)
but it didn't work.I think this is due to the statefulness of the firewall, once the packet go from the internal LAN to the external LAN to reach the GW it has the permission to came back in the internal side even if it is on a different LAN.
Is there a way to avoid this behaviour? Is it normal in transparent bridge mode or is due to the virtualizzation of the firewall?
-
This post is deleted! -
@DGG said in Internal LANs isolation on transparent bridge mode:
PC3 can ping PC4 (bridges involved and rules NOT functioning)
PC4 can ping PC3 (bridges involved and rules NOT functioning)I suspect, that pfSense never sees these packets.
Run a packet capture on the involved interface to find out if the packets even pass pfSense.
-
Both bridge interfaces see the ICMP packets, in the firewall states there is the connection between the two PCs, so the packets go througth the firewall
-
@DGG
I found the solution.I need to bound the firewall states to the interfaces.
This is the quote from the pf.conf manual page
set state-policy
The state-policy option sets the default behaviour for states:
_ if-bound States are bound to interface.
_ floating States can match packets on any interfaces (the default).Now I have to figure out if it is possible do it from Web interface, in OPNsense it is. PfSense manual say nothing about it.
-
D DGG referenced this topic on