Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule required on bridge interface to pass traffic?

    Scheduled Pinned Locked Moved
    Firewalling
    1
    2
    138
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aaronpackets
      last edited by aaronpackets

      I have the default configuration:

      net.link.bridge.pfil_member 1
      net.link.bridge.pfil_bridge 0

      I understood this to mean, after reading the manual, the only member interface rules would be necessary, or have any effect.

      I created a bridge over a number of VLAN interfaces. I enabled the VLAN interfaces, but did not assign an IP to any of them; I did however enable the bridge interface and assign an IP address to it. Then I added a catch-all Pass IPv4 * rule to one of the VLANs. I expected this would allow traffic from that VLAN to route to other interfaces, including the WAN.

      However, packets didn't seem to pass. I found my packets in the logs, getting blocked "Default deny rule IPv4," against the bridge interface. As an experiment, I made a copy of my rule, and changed it to the bridge interface instead of the member interface; then everything started working as I expected.

      This completely contradicts my understanding of how this is supposed to work, from the description in the manual. It seems to be ignoring the member rule, and only looking at the bridge rule.

      One other note: I noticed that the original member pass rule was showing a few states, related to broadcast packets of various kinds, like packets that wouldn't have actually routed out of the subnet. Maybe that's a hint?

      Can someone explain this behavior?

      Edited: I initially mentioned NAT, but it affected non-NAT interfaces as well.

      1 Reply Last reply Reply Quote 0
      • A
        aaronpackets
        last edited by

        I have another separate bridge setup, and I hadn't really paid much attention to it before; but I noticed that packets show up as being default denied on both the member interface and the bridge interface. It looks like the packets that would be bridged show up on the member interface, and packets that are destined the firewall itself show up on the bridge interface. I think that packets that are destined to be routed (as opposed to switched on layer 2) also show up against the bridge interface, which is what's happening in my original post.

        So I really have no idea what net.link.bridge.pfil_bridge is meant to do. It appears that rules apply to the bridge interface even with this disabled. Maybe it's broken? Maybe it has some more nuanced meaning?

        I see all sorts of people on the internet messing with these settings, but nothing really clearly explaining why they're doing it.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.