Bridge firewall rules and spam in logs.
-
Hello all, I need verification and/or clarification on my bridge rules.
I created bridge between Lan and Lan3, and added the rule for lan3. On lan3 interface I created a rule "lan3 net" to "any." I was able to ping out to google and other device inside of Lan3 but not to Lan. On the other hand Lan devices could ping Lan 3 devices.
I then created a rule on Lan interface "Lan3 net" to "any" but still I was not able to reach any machine on Lan from Lan3. Seeing that the rule did not do anything; I deleted it and went back to Lan3 interface and created a second rule on top of the first rule; allowing "Lan net" to "any" which allowed Lan3 devices to ping Lan devices. I can't help feel that this is not correct and may be a security risk?
Also I seem to be having ipv6 link local address spamming my firewall log every second. I do not have ipv6 set up on my network, and I do not like my log filling up with this meaningless information. It seems related to my bridge, Any ideas why this is happening?
-
For what possible reason would you bridge lan1 and lan3 ? Router interface ports are not switch ports. Is one of them copper and the other fiber or something. What do you think you get with bridging them?
That traffic is multicast ipv6 looking for UPnP crap and dns.. Disable that on the devices sending it, or setup pfsense not to log it. Not doing on ipv6 on pfsense does not mean it doesn't log stuff that hits its default block rule.
-
For what possible reason would you bridge lan1 and lan3 ? Router interface ports are not switch ports. Is one of them copper and the other fiber or something. What do you think you get with bridging them?
That traffic is multicast ipv6 looking for UPnP crap and dns.. Disable that on the devices sending it, or setup pfsense not to log it. Not doing on ipv6 on pfsense does not mean it doesn't log stuff that hits its default block rule.
Because I have Lan 3 going to a virtual network that can't be plugged into a physical switch because it's physically impossible and two I want the services on the virtual network to be reachable on the same subnet of Lan interface use the same dhcp and firewall rules.
SO instead of criticizing me and asking me why, just help me to make sure I don't have security problem.
-
I told exactly what the noise was.. Its multicast ipv6 noise from devices on your network. No its not a security concern. And told you how to make it stop.
But your explanation of it can not be plugged into a switch, but its plugged into your nic on pfsense?? Makes no sense.
Maybe your not on the board as much as me, but there is tons of nonsense posts users wanting to bridge, when it makes no sense too. A nic interface on pfsense is not a switch port. If you want something on the same layer 2 network, then plug them into the same switch. Bridging 2 interfaces is not he right way to accomplish what you want.
Your ipv6 noise would be handled the exact same way be it your seeing it on your bridge or not.. You either live with it in your logs, setup the devices not to send out the ipv6 noise if your not using ipv6 or not log it on pfsense.
-
I told exactly what the noise was.. Its multicast ipv6 noise from devices on your network. No its not a security concern. And told you how to make it stop.
But your explanation of it can not be plugged into a switch, but its plugged into your nic on pfsense?? Makes no sense.
Maybe your not on the board as much as me, but there is tons of nonsense posts users wanting to bridge, when it makes no sense too. A nic interface on pfsense is not a switch port. If you want something on the same layer 2 network, then plug them into the same switch. Bridging 2 interfaces is not he right way to accomplish what you want.
Your ipv6 noise would be handled the exact same way be it your seeing it on your bridge or not.. You either live with it in your logs, setup the devices not to send out the ipv6 noise if your not using ipv6 or not log it on pfsense.
Ok well I don't care about the ipv6, you're right it's just noise, I'll will have to sniff out later. But I will explain my setup a little bit more.
Host is ubuntu 14.04 KVM limited number of expansion slots used for storage controllers and only has two onboard nics, so not able to add more nics. Pass through two nics em0 em1 to pfsense guest, created a lagg interface, have three vlans on top of lagg, one for wan, one for lan and one for lan 2(isolated network.) So how does the host box connected to the network if I pass through both of it's nics?
I created a bridge on the host set a static ip and spoof mac address, had all my other kvm server guests connect to this bridge then add a virtio nic to the pfsense then told it to connect to this bridge. Now I have a virtual network. On pfsense side I created an interface using vtnet0, did not give it an ip, viola lan 3 exist! Took lan interface of vlan1 and lan3 and put them in a bridge, creating bridge0. I added the firewall rules, hence my question is it setup correctly that I'm not causing a security issue.