Bridge not bridging
-
Running 2.3.2-p1
Interfaces ath0_wlan0 (WiFi) and igb1 (LAN) are bridged; WiFi has no IP address; DHCP server is running on LAN int; devices on both interfaces get IPs and can get out the WAN
The problem is devices on WiFi and LAN can not talk to each other. A packet capture shows the packets never cross interfaces. I have a pass rule for the the LAN Net on both interfaces. The firewall log does not show blocking any packets. -
OK, I added a the bridge0 interface to the interfaces screen and added a pass rule on that interface, but still have the same results. Below is the configuration & the tcpdump results. .32 is on the wireless & .30 is on igb1 (LAN)
ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
ether 94:39:e5:9b:a0:69
inet6 fe80::9639:e5ff:fe9b:a069%ath0_wlan0 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>status: running
ssid XXXXX channel 11 (2462 MHz 11g ht/20) bssid 94:39:e5:9b:a0:69
regdomain 101 indoor ecm authmode WPA2/802.11i privacy MIXED
deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 20 scanvalid 60
protmode OFF ampdulimit 64k ampdudensity 8 shortgi wme burst -apbridge
dtimperiod 1 -dfs
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 02:6b:89:80:1b:00
nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 33333
member: igb1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 4 priority 128 path cost 2000000[2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i bridge0 icmp
tcpdump: WARNING: bridge0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:07:49.497416 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 31, length 64
22:07:50.502542 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 32, length 64
22:07:51.505910 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 33, length 64
22:07:52.509290 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 34, length 64
22:07:53.514034 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 35, length 64
22:07:54.514349 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 36, length 64
22:07:55.519512 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 37, length 64
22:07:56.523546 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 38, length 64
22:07:57.528739 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 39, length 64
22:07:58.533858 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 40, length 64
22:07:59.535173 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 41, length 64
^C
11 packets captured
17 packets received by filter
0 packets dropped by kernel[2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i bridge0 icmp
tcpdump: WARNING: bridge0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:11:20.270599 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 0, length 64
22:11:23.249090 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 1, length 64
22:11:26.272040 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 2, length 64
22:11:30.255463 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 3, length 64
22:11:34.253254 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 4, length 64
22:11:37.284191 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 5, length 64
^C
6 packets captured
65 packets received by filter
0 packets dropped by kernel[2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i ath0_wlan0 icmp
tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:11:51.482688 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 0, length 64
22:11:54.490625 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 1, length 64
22:11:58.484648 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 2, length 64
22:12:02.483294 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 3, length 64
22:12:06.487501 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 4, length 64
^C
5 packets captured
2260 packets received by filter
0 packets dropped by kernel[2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i igb1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 65535 bytes
22:31:32.796447 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 2, length 64
22:31:33.611907 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 3, length 64
22:31:34.616106 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 4, length 64
22:31:35.620260 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 5, length 64
22:31:36.621133 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 6, length 64
^C
5 packets captured
30200 packets received by filter
0 packets dropped by kernel</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast></hostap></performnud,auto_linklocal></up,broadcast,running,promisc,simplex,multicast> -
I just noticed something else: multicast packets cross the bridge; 1.6 is a Raspberry Pi running Kodi on the wired LAN; these packets were captured on the wireless (ath0_wlan0) interface
01:02:52.371816 IP 172.18.1.6.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) TXT "deviceid=B8:27:EB:1E:8E:21" "model=Xbmc,1" "srcvers=101.28" "features=0x20F7" (119)
01:02:52.486513 IP 172.18.1.6.7611 > 239.255.255.250.1900: UDP, length 160
01:02:52.487865 IP 172.18.1.6.7611 > 239.255.255.250.1900: UDP, length 160
^C -
Assign an IP (and DHCP server) to your bridge0 interface, not the members.
at System: Advanced: System Tunables
you need to adjust these values:| net.link.bridge.pfil_member | Set to 0 to disable filtering on the incoming and outgoing member interfaces. | default (1) |
| net.link.bridge.pfil_bridge | Set to 1 to enable filtering on the bridge interface | default (0) |You only need to create rules on the bridge0 rules tab then.
Make sure your AP does not have client isolation checked. -
I made the suggested changes & get the same results.