Found a possible bug.
-
I have a bridged lan interface using virtio nic and vlan on lagg interface. I was setting up a Wan failover and running into problems.
When you setup a wan failover with two wans/gateways using a gateway group and change the gateway in the default lan -> any rule from default to the group, the two lan interfaces that are bridged stop talking with each other (as in you can ping the pfsense box but can not ping machines on vlan from the virtio lan nor can virtio lan ping machines on vlan) But you are able to reach the internet. On the other hand if you switch it back to default, you are able to talk to each other but not reach the internet.
I have
net.link.bridge.pfil_member set 0
and
net.link.bridge.pfil_bridge set 1This seems to be a bug.
-
Not a bug, nature of how policy routing works by design - it forces traffic to the specified gateway. Don't pass traffic between internal networks with a rule specifying a gateway.
-
@cmb:
Not a bug, nature of how policy routing works by design - it forces traffic to the specified gateway. Don't pass traffic between internal networks with a rule specifying a gateway.
Ok, so it's by design.
Is there a proper way to allow traffic on a bridge with a gateway group set? -
Just make sure your rules specifying a gateway are only matching traffic you want to force to that gateway (group). Add rule(s) above that to pass traffic between internal networks.