Bridge not bridging



  • Running 2.3.2-p1
    Interfaces ath0_wlan0 (WiFi) and igb1 (LAN) are bridged; WiFi has no IP address; DHCP server is running on LAN int; devices on both interfaces get IPs and can get out the WAN
    The problem is devices on WiFi and LAN can not talk to each other.  A packet capture shows the packets never cross interfaces.  I have a pass rule for the the LAN Net on both interfaces.  The firewall log does not show blocking any packets.



  • OK, I added a the bridge0 interface to the interfaces screen and added a pass rule on that interface, but still have the same results. Below is the configuration & the tcpdump results.  .32 is on the wireless & .30 is on igb1 (LAN)

    ath0_wlan0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    ether 94:39:e5:9b:a0:69
    inet6 fe80::9639:e5ff:fe9b:a069%ath0_wlan0 prefixlen 64 scopeid 0xb
    nd6 options=21 <performnud,auto_linklocal>media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>status: running
    ssid XXXXX channel 11 (2462 MHz 11g ht/20) bssid 94:39:e5:9b:a0:69
    regdomain 101 indoor ecm authmode WPA2/802.11i privacy MIXED
    deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 20 scanvalid 60
    protmode OFF ampdulimit 64k ampdudensity 8 shortgi wme burst -apbridge
    dtimperiod 1 -dfs
    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    ether 02:6b:89:80:1b:00
    nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: ath0_wlan0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 33333
    member: igb1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 4 priority 128 path cost 2000000

    [2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i bridge0 icmp
    tcpdump: WARNING: bridge0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:07:49.497416 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 31, length 64
    22:07:50.502542 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 32, length 64
    22:07:51.505910 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 33, length 64
    22:07:52.509290 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 34, length 64
    22:07:53.514034 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 35, length 64
    22:07:54.514349 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 36, length 64
    22:07:55.519512 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 37, length 64
    22:07:56.523546 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 38, length 64
    22:07:57.528739 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 39, length 64
    22:07:58.533858 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 40, length 64
    22:07:59.535173 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 22446, seq 41, length 64
    ^C
    11 packets captured
    17 packets received by filter
    0 packets dropped by kernel

    [2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i bridge0 icmp
    tcpdump: WARNING: bridge0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:11:20.270599 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 0, length 64
    22:11:23.249090 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 1, length 64
    22:11:26.272040 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 2, length 64
    22:11:30.255463 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 3, length 64
    22:11:34.253254 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 4, length 64
    22:11:37.284191 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 6498, seq 5, length 64
    ^C
    6 packets captured
    65 packets received by filter
    0 packets dropped by kernel

    [2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i ath0_wlan0 icmp
    tcpdump: WARNING: ath0_wlan0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ath0_wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:11:51.482688 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 0, length 64
    22:11:54.490625 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 1, length 64
    22:11:58.484648 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 2, length 64
    22:12:02.483294 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 3, length 64
    22:12:06.487501 IP 172.18.1.32 > 172.18.1.30: ICMP echo request, id 47158, seq 4, length 64
    ^C
    5 packets captured
    2260 packets received by filter
    0 packets dropped by kernel

    [2.3.2-RELEASE][admin@fw1.rolltribe.local]/root: tcpdump -i igb1 icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on igb1, link-type EN10MB (Ethernet), capture size 65535 bytes
    22:31:32.796447 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 2, length 64
    22:31:33.611907 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 3, length 64
    22:31:34.616106 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 4, length 64
    22:31:35.620260 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 5, length 64
    22:31:36.621133 IP 172.18.1.30 > 172.18.1.32: ICMP echo request, id 61102, seq 6, length 64
    ^C
    5 packets captured
    30200 packets received by filter
    0 packets dropped by kernel</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast></hostap></performnud,auto_linklocal></up,broadcast,running,promisc,simplex,multicast>



  • I just noticed something else:  multicast packets cross the bridge; 1.6 is a Raspberry Pi running Kodi on the wired LAN; these packets were captured on the wireless (ath0_wlan0) interface

    01:02:52.371816 IP 172.18.1.6.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) TXT "deviceid=B8:27:EB:1E:8E:21" "model=Xbmc,1" "srcvers=101.28" "features=0x20F7" (119)
    01:02:52.486513 IP 172.18.1.6.7611 > 239.255.255.250.1900: UDP, length 160
    01:02:52.487865 IP 172.18.1.6.7611 > 239.255.255.250.1900: UDP, length 160
    ^C



  • Assign an IP (and DHCP server) to your bridge0 interface, not the members.

    at  System: Advanced: System Tunables
    you need to adjust these values:

    | net.link.bridge.pfil_member |   Set to 0 to disable filtering on the incoming and outgoing member interfaces. | default (1) |
    | net.link.bridge.pfil_bridge |   Set to 1 to enable filtering on the bridge interface | default (0) |

    You only need to create rules on the bridge0 rules tab then.
    Make sure your AP does not have client isolation checked.



  • I made the suggested changes & get the same results.