little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...

justsomeguy

i have a 6 port pfsense box and i wanted to use one of the spare ports as a second bridged LAN port. i know there's a performance hit compared to using a switch, but i'm OK with this.

i created the LAN interface, provided static IP, and created DHCP server. i created a LAN2 interface without any IP, then created a bridge of LAN and LAN2. if you are reading this and looking to do the same, the documentation seems to suggest that assigning the static IP and DHCP server to the bridge itself and not the member interfaces is preferred, FYI (https://docs.netgate.com/pfsense/en/latest/bridges/interfaces.html).

the system tunables described at the link below are in their default configuration to packet filtering is done at the interface, not at the bridge. https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

i saw in the pfsense documentation in this configuration, you have to add a broadcast allow rule for DHCP. i have other broadcast services i want to bridge like file share, sonos, airplay, etc., so i instead created an allow from any to any rule on LAN2. https://docs.netgate.com/pfsense/en/latest/bridges/internal-networks.html#dhcp-and-internal-bridges

i did also see the post below that describes how pfsense creates rules not shown in the GUI to allow DHCP to work on a standalone interface. https://www.reddit.com/r/PFSENSE/comments/him1qz/no_rules_needed_for_dhcp/

i should note, everything seems to work, but i just want to make sure i understand the implications of how this is setup.

so i guess my questions are:

1. it seems on a standalone (non-bridged) interface by default pfsense creates rules to handle DHCP and drops any other broadcast packets, is that true?
2. do i have to create a rule to allow broadcast packets in on LAN to get them to be passed to LAN2? the default LAN rules are in place (allow from LAN net to any).
3. i guess pfsense must allow non-IP broadcast messages such as ARP without any rules within a bridge, right?
4. are there any downsides to creating the allow from any to any rule that i did on LAN2? isn't this how a bridge/dumb switch would normally act?
5. i assume pfsense doesn't allow broadcast packets to leave the bridge to non-member interfaces, is this true?

JKnott

@justsomeguy

Pfsense should not be passing any broadcasts. Broadcasts are normally limited to a single subnet. On the other hand, multicasts may be passed, if so configured. Arp has nothing to do with IP, which it predates. Regardless, there's no reason for it to go beyond the single network.

justsomeguy

ARP is a layer 2 broadcast.

@JKnott so based on your response to original questions, can you confirm?

1. yes
2. yes
3. unclear
4. unclear
5. yes

JKnott

@justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

yes
Yes
yes
No, you do not pass broadcasts between subnets
unclear
Pfsense does not pass ARP, etc. under any circumstances
unclear
There's another thread about using pfsense as a bridge. It's a waste of effort. If you want a switch, buy a switch. They're cheap.
yes
Pfsense has absolutely nothing to do with broadcasts. It should not be passing them anywhere

justsomeguy

found some good information in the freebsd documentation on bridges...still reading.

https://www.freebsd.org/cgi/man.cgi?bridge(4)

     ARP and REVARP packets are	forwarded without being	filtered and others
     that are not IP nor IPv6 packets are not forwarded	when pfil_onlyip is
     enabled.  IPFW can	filter Ethernet	types using mac-type so	all packets
     are passed	to the filter for processing.

net.link.bridge.pfil_onlyip  Controls the handling	of non-IP packets
				  which	are not	passed to pfil(9).  Set	to 1
				  to only allow	IP packets to pass (subject to
				  firewall rules), set to 0 to unconditionally
				  pass all non-IP Ethernet frames.

justsomeguy

Multicast and broadcast packets are always forwarded to all in-
     terfaces that are part of the bridge.  For	unicast	traffic, the bridge
     learns which MAC addresses	are associated with which interfaces and will
     forward the traffic selectively.

http://www.openbsd.org/faq/pf/filter.html#intro

Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. The criteria that pf(4) uses when inspecting packets are based on the Layer 3 (IPv4 and IPv6) and Layer 4 (TCP, UDP, ICMP, and ICMPv6) headers. The most often used criteria are source and destination address, source and destination port, and protocol.

justsomeguy

so i think i've learned some things. to my original questions....

1. it seems on a standalone (non-bridged) interface by default pfsense creates rules to handle DHCP and drops any other broadcast packets, is that true?

no. the default pfsense rules allow any layer 3 broadcast packets IF the source is the LAN net. DHCP is a unique exception because the source is 0.0.0.0 for which a rule is automatically created, but not shown in the GUI list. layer 2 packets are accepted by pfsense but not routed (since this isn't really possible)

2. do i have to create a rule to allow broadcast packets in on LAN to get them to be passed to LAN2? the default LAN rules are in place (allow from LAN net to any).

for layer 2, no, this is what the bridge does and pf does not interfere. for layer 3 the default rules allow it, but can be modified as desired.

3. i guess pfsense must allow non-IP broadcast messages such as ARP without any rules within a bridge, right?

yes

4. are there any downsides to creating the allow from any to any rule that i did on LAN2? isn't this how a bridge/dumb switch would normally act?

still looking for input here, but it seems DHCP is a unique broadcast exception instead of one of many. i did some packet capture and most other broadcast packets have a LAN net source address and would be allowed with the default rule. i guess the implication of allow from any to any is that IP packets from a source address may be routed or attempted to be routed. this may include bad IPs or IPs intended to be link local.

5. i assume pfsense doesn't allow broadcast packets to leave the bridge to non-member interfaces, is this true?

layer 2 broadcast packets won't leave the bridge. layer 3 broadcasts will be filtered and routed according to rules.

johnpoz

@justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

no. the default pfsense rules allow any layer 3 broadcast packets IF the source is the LAN net.

But they don't go anywhere..

or layer 3 the default rules allow it, but can be modified as desired.

Again they don't go anywhere... They are broadcast, they don't get routed to anything.

layer 3 broadcasts will be filtered and routed according to rules.

Broadcasts are not routed..

JKnott

@justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

ARP is a layer 2 broadcast.

Getting back to my original point, ARP has nothing to do with IP. All it does is map an IP address to a MAC address, but can be used for other things to. Regardless, it's never let off the local LAN, as anywhere else it's meaningless. There are plenty of other layer 2 things that have nothing to do with IP. For example, if you have a managed switch, you will likely see spanning tree frames or equivalent.