UDP broadcasts to WAN
-
Now the problem seems to be policy based routing. Maybe in combination with the system tunable settings I mentioned before (but forgot to mention yesterday, sorry): net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1.
I set mine the same for the previous tests.
You would need a second gateway, create a gateway group, put the gateways on different tiers (the lower number will receive the traffic), and select the group as gateway in the firewall rule, instead of default.
The packet in your attachment should qualify.
Not sure that I'm willing to set that up since I have no reason to believe the results will be any different. You need to take a GOOD look at what you've done in your environment. What you're describing is basically impossible. You screwed something up somewhere. Probably at layer 2.
-
I'm trying to say that this one config change, from default to gateway group, changes the behaviour.
You could simply use any, even imaginary, host on wan side as your second gateway.
ARP or DHCP are not leaking.
Risto
-
How would "routing" anything have to do with it.. What part do you just not understand that BROADCAST traffic is NOT routed.. what you posted is not even a directed broadcast - its full FF.. Why would pfsense send that anywhere, not going to forward it, not going to route it..
-
a reason for everything. In this case I want to separate the vlans (private bridge ports) so they don't see each other. There is no excuse for pfsense's bridge not working as it should.
Dude, you are totally lost. When you want separate private VLANs, then for goddamn sake do NOT bridge them. Plus, the DHCP is the most BS reason to create a bridge, ever. All of this - overengineered, error prone nonsense with multiple additional layers of complexity that may (and clearly do) cause issues - just because you are lazy to get up DHCP server properly.
-
How would "routing" anything have to do with it.. What part do you just not understand that BROADCAST traffic is NOT routed.. what you posted is not even a directed broadcast - its full FF.. Why would pfsense send that anywhere, not going to forward it, not going to route it..
How should a directed broadcast look like?
Risto
-
Dude, you are totally lost. When you want separate private VLANs, then for goddamn sake do NOT bridge them. Plus, the DHCP is the most BS reason to create a bridge, ever. All of this - overengineered, error prone nonsense with multiple additional layers of complexity that may (and clearly do) cause issues - just because you are lazy to get up DHCP server properly.
Thanks for telling me, but actually we've gone through all this before during this thread, so I don't care to explain it anymore, unless you insist. And it's working with a simple firewall setting. I'm more worried about pfsense and possibly the underlying freebsd.
Risto
-
So I looked at what you posted again..
192.168.1.31.137 > 192.168.1.255.137
That is a directed broadcast…. And what IP address is 1.31? Some on your lan side.. In what world would that ever be routed anywhere?? The only way that would go out some interface that was not in that network is if there was a bridge!
Or you have a mask wrong somewhere where that .255 would be a host IP.. like 192.168.1.0/23 But if pfsense was going to route that as a host address, why would it not be natted if going on your wan? What network is your wan on?
What are the networks on your pfsense with masks? What network is the wan in?
-
So I looked at what you posted again..
192.168.1.31.137 > 192.168.1.255.137
That is a directed broadcast…. And what IP address is 1.31? Some on your lan side.. In what world would that ever be routed anywhere?? The only way that would go out some interface that was not in that network is if there was a bridge!
Yes, 1.31 is a windows box on the lan side. Looks to me that somehow this policy based routing overrides the routing table and ignores the local routes. I think it's wrong.
@johnpoz:Or you have a mask wrong somewhere where that .255 would be a host IP.. like 192.168.1.0/23 But if pfsense was going to route that as a host address, why would it not be natted if going on your wan? What network is your wan on?
I use /24 masks for simplicity. The wans are the only exceptions (ethernet dhcp and ppp).
@johnpoz:What are the networks on your pfsense with masks? What network is the wan in?
Wan in vr0. Here ifconfig of all interfaces with ip:
vr0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:17:cb:28 inet6 fe80::20d:b9ff:fe17:cb28%vr0 prefixlen 64 scopeid 0x1 inet 80.220.71.201 netmask 0xffffe000 broadcast 80.220.95.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=8280b <rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:0d:b9:17:cb:29 inet6 fe80::20d:b9ff:fe17:cb29%vr1 prefixlen 64 scopeid 0x2 inet 192.168.2.7 netmask 0xffffff00 broadcast 192.168.2.255 inet 192.168.0.7 netmask 0xffffff00 broadcast 192.168.0.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 nd6 options=21 <performnud,auto_linklocal>ural0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:17:31:c7:8f:6d inet6 fe80::217:31ff:fec7:8f6d%ural0_wlan0 prefixlen 64 scopeid 0x8 inet 192.168.3.7 netmask 0xffffff00 broadcast 192.168.3.255 nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> status: running ssid pfSense2 channel 1 (2412 MHz 11g) bssid 00:17:31:c7:8f:6d regdomain ETSI country FI authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit txpower 30 scanvalid 60 protmode OFF dtimperiod 1 -dfs ppp1: flags=88d1 <up,pointopoint,running,noarp,simplex,multicast>metric 0 mtu 1492 inet6 fe80::20d:b9ff:fe17:cb28%ppp1 prefixlen 64 scopeid 0x1e inet 10.233.110.117 --> 10.64.64.1 netmask 0xffffffff nd6 options=21 <performnud,auto_linklocal>bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 02:8f:df:55:b9:00 inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr1_vlan120 flags=b63 <learning,discover,private,edge,autoedge,autoptp>ifmaxaddr 0 port 28 priority 128 path cost 200000 ... member: vr1_vlan101 flags=b63 <learning,discover,private,edge,autoedge,autoptp>ifmaxaddr 0 port 9 priority 128 path cost 200000</learning,discover,private,edge,autoedge,autoptp></learning,discover,private,edge,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></up,pointopoint,running,noarp,simplex,multicast></hostap></performnud,auto_linklocal></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>Risto
-
And the switch config? And a physical diagram of how you have it all connected?
-
"Looks to me that somehow this policy based routing overrides the routing table"
That might be something if it wasn't broadcast traffic you don't route broadcast traffic.. So unless you have a mask where that looks like a host IP and not a broadcast address it would not be routed. No matter if policy based or not.
-
And the switch config? And a physical diagram of how you have it all connected?
I haven't succeeded in getting a shell interface to the switch (Dell PowerConnect 2724), so I just have to describe it here. (The web-management has been problematic, too.)
- ports 1 to 20 are untagged with vlans 101 to 120 respectively, these go to apartments
- ports 21 to 23 are without vlans
- port 24 is tagged with vlans 101 to 120, this is connected to pfsense's lan (vr1)
- pfsense's lan has vlans 101 to 120 that comprise bridge0
- pfsense's lan has also two ip addresses for raw access towards the switch
- pfsense's wan (vr0) is connected to operator's line through a switch (another one)
- pfsense's wlan (ural0_wlan0) has an ip address and is used as an alternative access to lan side
- pfsense's 3G stick (ppp1) is used as backup wan
Risto
-
pfsense's wan (vr0) is connected to operator's line through a switch (another one)
What else is connected to that switch?
-
I shouldn't have to create a gateway group to test this. All I'll have to do is policy route to the existing gateway instead of the default routing table.
Even though I know that won't satisfy you so I'll make a group anyway. Not sure how that will satisfy you, either.
-
What else is connected to that switch?
Two more routers.
@Derelict:I shouldn't have to create a gateway group to test this. All I'll have to do is policy route to the existing gateway instead of the default routing table.
Even though I know that won't satisfy you so I'll make a group anyway. Not sure how that will satisfy you, either.
You are probably right. One route is enough. I was thinking too complicated. Sorry for that.
Risto
-
I made a simplified setup with a virtual host in qemu. Two interfaces of type "em" (intel gigabit). Lan ip 192.168.2.1, bridge ip 192.168.0.1 (vlans 101, 102), wan dhcp. I was able to demonstrate the problem by sending a udp packet with nmap. I'll attach the config. It is so simple that it should be easy to spot the error.
-
How do you guys like your crow? I'll take mine with sriracha and a nice zinfandel.
-
Looks to me that somehow this policy based routing overrides the routing table and ignores the local routes.
Of course - that's the entire point of policy routing. In this situation with a bridge, specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic. It's what you're telling it to do. Don't match traffic with a pass rule specifying a gateway that you don't want sent to that gateway.
As others have noted, the bridge is possibly undesirable in this circumstance. If it's not, block broadcast destination traffic above any pass rule specifying a gateway that would match, as any matching traffic will be forced to that gateway.
-
Umm. OK. I guess nobody expects that their LAN NETBIOS name lookups, which are directed at the LAN subnet will be sent to WAN without NAT or anything when they enable policy routing.
This doesn't seem like correct behavior. I guess the discussion can change from "is it really doing that" to "Is it proper for it to do that."
To reiterate:
Interface LAN
Interface address: 192.168.1.1/24
Receives broadcast to: 192.168.1.255
Forwards it to another gateway? Why?And, in my testing, it doesn't happen with a normal interface for LAN. Only with a bridge for LAN. (I just tested removing the private flag on the members. Does the same thing.)
-
So I guess this is specific to bridges. More reason not to use them. Said it before and I'll say it again. Put all your apartments on switch ports. pvlan edge or asymmetric VLANs.
With one of these you can do what you want with one VLAN without a bunch of nonsense.
http://www.ebay.com/itm/CISCO-WS-C2950T-48-SI-48-Port-Switch-10-100-Ethernet-Ports-REFURBISHED-/321672574121
48 10/100
2 10/100/1000
Private VLAN Edge
$29 -
http://www.ebay.com/itm/CISCO-WS-C2950T-48-SI-48-Port-Switch-10-100-Ethernet-Ports-REFURBISHED-/321672574121
The shipping costs to Finland are unacceptable, but of course I could take a look at the European eBay offerings.
@Derelict:This doesn't seem like correct behavior. I guess the discussion can change from "is it really doing that" to "Is it proper for it to do that."
I would express this (with my not perfect English) as the implementation not being ideal.
@cmb:Of course - that's the entire point of policy routing. In this situation with a bridge, specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic. It's what you're telling it to do. Don't match traffic with a pass rule specifying a gateway that you don't want sent to that gateway.
Is there a situation where this behavior is wanted? Maybe for bridging two remote sites? No, that would not work.
@cmb:As others have noted, the bridge is possibly undesirable in this circumstance. If it's not, block broadcast destination traffic above any pass rule specifying a gateway that would match, as any matching traffic will be forced to that gateway.
That is my current solution.
Risto
