Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get packet filter to work on bridge member interfaces

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 370 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AlleyCat
      last edited by

      Hello - I am having a terrible time getting packet filtering to work on member interfaces of a bridge. Would appreciate some additional eyeballs to review and advise.

      I'm using pfsense 2.4.4-p3.

      Tunables:
      net.link.bridge.ipfw = 1
      net.link.bridge.pfil_member = 1
      net.link.bridge.pfil_bridge = 0

      (https://www.freebsd.org/cgi/man.cgi?bridge(4) says the first tunable must be enabled for dummynet support, which is a requirement for my setup)

      I have a functioning WAN interface assigned on igb0.

      I have interface igb1.300 (VLAN 300 on igb1) defined with no IP address set. This is effectively my "LAN" interface.

      I create bridge0 and set igb1.300 as its only member.

      I create an interface for bridge0 and assign it a valid public IP address for my upstream connection (1.1.1.1/24 for example)

      I have a client node entering pfsense on igb1.300 with a public IP address in the same subnet (1.1.1.2/24 for example, with gateway 1.1.1.1)

      I create a firewall rule (pass any-any) on igb1.300. No traffic flows, and firewall logs show default deny being hit on the bridge0 interface.

      If I move the pass rule from igb1.300 to bridge0 it hits the pass rule and traffic flows.

      If I delete the bridge and use only igb1.300 with the same IP address and firewall rule directly on igb1.300 then the pass rule gets hit and traffic flows.

      Based on the tunables I am expecting this to function opposite to how it actually is functioning. Am I missing something in the config to make it work as expected? Are my expectations correct for how it should function?

      NOTE: I already know and agree in principle that bridges in pfsense are evil and should be avoided. With that said, I still need to figure out why this particular configuration is not functioning as expected. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • A Offline
        AlleyCat
        last edited by

        Anyone?

        Can anyone at least confirm that this should be working, despite the fact that it very much isn't working?

        Very much appreciate anything that can help point me in the right direction here. Everything I've found online suggests it should be working but I haven't found anything conclusive.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.