UDP broadcasts to WAN
-
pfsense's wan (vr0) is connected to operator's line through a switch (another one)
What else is connected to that switch?
-
I shouldn't have to create a gateway group to test this. All I'll have to do is policy route to the existing gateway instead of the default routing table.
Even though I know that won't satisfy you so I'll make a group anyway. Not sure how that will satisfy you, either.
-
What else is connected to that switch?
Two more routers.
@Derelict:I shouldn't have to create a gateway group to test this. All I'll have to do is policy route to the existing gateway instead of the default routing table.
Even though I know that won't satisfy you so I'll make a group anyway. Not sure how that will satisfy you, either.
You are probably right. One route is enough. I was thinking too complicated. Sorry for that.
Risto
-
I made a simplified setup with a virtual host in qemu. Two interfaces of type "em" (intel gigabit). Lan ip 192.168.2.1, bridge ip 192.168.0.1 (vlans 101, 102), wan dhcp. I was able to demonstrate the problem by sending a udp packet with nmap. I'll attach the config. It is so simple that it should be easy to spot the error.
-
How do you guys like your crow? I'll take mine with sriracha and a nice zinfandel.
-
Looks to me that somehow this policy based routing overrides the routing table and ignores the local routes.
Of course - that's the entire point of policy routing. In this situation with a bridge, specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic. It's what you're telling it to do. Don't match traffic with a pass rule specifying a gateway that you don't want sent to that gateway.
As others have noted, the bridge is possibly undesirable in this circumstance. If it's not, block broadcast destination traffic above any pass rule specifying a gateway that would match, as any matching traffic will be forced to that gateway.
-
Umm. OK. I guess nobody expects that their LAN NETBIOS name lookups, which are directed at the LAN subnet will be sent to WAN without NAT or anything when they enable policy routing.
This doesn't seem like correct behavior. I guess the discussion can change from "is it really doing that" to "Is it proper for it to do that."
To reiterate:
Interface LAN
Interface address: 192.168.1.1/24
Receives broadcast to: 192.168.1.255
Forwards it to another gateway? Why?And, in my testing, it doesn't happen with a normal interface for LAN. Only with a bridge for LAN. (I just tested removing the private flag on the members. Does the same thing.)
-
So I guess this is specific to bridges. More reason not to use them. Said it before and I'll say it again. Put all your apartments on switch ports. pvlan edge or asymmetric VLANs.
With one of these you can do what you want with one VLAN without a bunch of nonsense.
http://www.ebay.com/itm/CISCO-WS-C2950T-48-SI-48-Port-Switch-10-100-Ethernet-Ports-REFURBISHED-/321672574121
48 10/100
2 10/100/1000
Private VLAN Edge
$29 -
http://www.ebay.com/itm/CISCO-WS-C2950T-48-SI-48-Port-Switch-10-100-Ethernet-Ports-REFURBISHED-/321672574121
The shipping costs to Finland are unacceptable, but of course I could take a look at the European eBay offerings.
@Derelict:This doesn't seem like correct behavior. I guess the discussion can change from "is it really doing that" to "Is it proper for it to do that."
I would express this (with my not perfect English) as the implementation not being ideal.
@cmb:Of course - that's the entire point of policy routing. In this situation with a bridge, specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic. It's what you're telling it to do. Don't match traffic with a pass rule specifying a gateway that you don't want sent to that gateway.
Is there a situation where this behavior is wanted? Maybe for bridging two remote sites? No, that would not work.
@cmb:As others have noted, the bridge is possibly undesirable in this circumstance. If it's not, block broadcast destination traffic above any pass rule specifying a gateway that would match, as any matching traffic will be forced to that gateway.
That is my current solution.
Risto
-
@cmb:
Of course - that's the entire point of policy routing. In this situation with a bridge, specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic. It's what you're telling it to do. Don't match traffic with a pass rule specifying a gateway that you don't want sent to that gateway.
Is there a situation where this behavior is wanted? Maybe for bridging two remote sites? No, that would not work.
Huh? It is required. Otherwise, the policy routing would not work - at all. Has nothing to do with bridging.
-
"specifying a gateway on pass rules that match broadcast traffic will forward the broadcast traffic."
So your saying shove it down this whole no matter what it is if it meets the rule.. Well while that makes sense, what was the rules that he never showed us, etc. So if I said any from lan net use to dest any use gateway X - would that send broadcast traffic? If so that should prob be mentioned somewhere, is it? I wouldn't think that would send broadcast traffic. You never think of broadcast traffic being routed - but in this case where your forcing stuff down a hole.
So you saying if pfsense sees traffic on its interface and it meets that rule that says send to this gateway, it gets shoved down the hole..
I like mine with sriracha as well ;)
-
Huh? It is required. Otherwise, the policy routing would not work - at all. Has nothing to do with bridging.
No, but has to do with routing. And there is routable traffic and unroutable, like broadcast in his case.
Risto
-
As I understand it, the bridge implementation is a (IP) filtering bridge - the filtering has to be enable on the member interfaces or the bridge as a whole or both. And thus anything that looks like IP will be passed through the filtering rules. So an IP-broadcast packet is going to be processed by the rule set and if it matches first a rule with a gateway then it goes to that gateway. If a rule does not have a gateway, then it goes to the routing table, and in the case of IP-broadcast the destination is in the bridge LAN subnet, so it goes out the various bridged interfaces.
I guess the filtering bridge is all good for if you want to put special rules on to block some traffic coming in 1 port from being bridged out to the other bridge ports - making a "not so transparent" bridge which walls off certain things that are still in the same subnet.
But it also leaves little "tricks" like this gateway policy-routing thing that does not come into play on a single-port ordinary LAN.
Also, I guess these bridges are not generic layer-2 bridges that would just learn MAC addresses and forward stuff around based on MAC address like a network switch. If there is DECnet, AppleTalk, you other favorite protocol that is not IP, then an IP-based packet filter is not going to understand that, so presumably those packets are not bridged?My ravings here might clarify something, or they might just confuse.
-
But it also leaves little "tricks" like this gateway policy-routing thing that does not come into play on a single-port ordinary LAN.
So on an ordinary LAN the routing table comes first, and then the firewall, and then again the routing table, unless there is a policy route? Sounds complicated. Why is it different for a bridge?
Risto
-
According to a PM I received, cmb stated that by the time such traffic from a bridge is evaluated, it is not possible to tell if it is a broadcast or not. I take that to mean there is no longer a way to reference the subnet mask of the bridge interface itself.
I see this as something that is a surprise to pretty much everyone. Let everyone know that if they use a bridge to put a wireless card on the same subnet as their LAN, they will leak information out WAN they probably don't expect. In my testing it was netbios hostnames and internal IP addressing schemes.
I was already putting explicit, quick floating rules on interface group V4WANS outbound blocking RFC1918 and alias local_v4_network destinations. Today I will probably add This Firewall (self). I let the interface checkboxes handle WAN in, though a floating rule blocking alias local_network sources wouldn't be a bad idea. But I think there's some automatic spoofing protection already present.
In summary, the following still applies:
-
Don't bridge. Use a separate subnet for multiple interfaces.
-
Don't use a wireless card, get an AP.
-
Don't bridge ethernet, get a switch.
-
And, in this case, get a switch that does what you need to have done at layer 2 - don't use your router to do your switch's job.
-
Just because you can, doesn't mean you should.
-
-
http://www.ebay.com/itm/CISCO-WS-C2950T-48-SI-48-Port-Switch-10-100-Ethernet-Ports-REFURBISHED-/321672574121
The shipping costs to Finland are unacceptable, but of course I could take a look at the European eBay offerings.
Yeah. It was intended to be an example. There are likely cheap, surplus switches all over the world especially if 10/100 station ports are acceptable. That one has gig uplinks.
-
Why am I getting a strange feeling that some people following this conversation hope that it wasn't ever started, and the whole problem had been kept under the carpet? Probably just my imagination.
Well, I'm glad it was. It certainly has opened my eyes :)
And thanks to all of you for your opinions.
Risto
-
I don't get that at all. We told you from the start that your config was convoluted and unnecessary. You're poking around in areas that get very little attention since there are vastly better ways to accomplish the same thing.
-
The shipping costs to Finland are unacceptable, but of course I could take a look at the European eBay offerings.
There are many at Ebay UK. You should be able to find a 48 port for around €1 per port incl. shipping. More expensive than in the US but still very reasonable.
Now that I found them, I'm almost sad that I don't need one…
-
I don't get that at all. We told you from the start that your config was convoluted and unnecessary. You're poking around in areas that get very little attention since there are vastly better ways to accomplish the same thing.
Well, think again. Since bridge and policy routing are both apparently useful features, it's about time to unveil the fact that they should not be mixed in pfSense. Could happen to anyone.
Risto
