Firewall rule on bridge with gateway set doesn't work as intended



  • I am using pfSense as a libvirt/KVM VM on my server. On my server, there is a container which acts as a tor transparent proxy. This transparent proxy has 2 interfaces, 1 in my DMZ network, and 1 in my TORPUB network. On my Server, I put all interfaces for my DMZ network in a bridge, and all interfaces for my TORPUB network in another bridge. The pfSense VM has an interface in each bridge. The transparent proxy uses the pfSense firewall over the DMZ network as default gateway. There is also a LAN card in my computer which is connected to a public wlan ap without a password. The interface of the LAN card is in the DMZ network. All clients connecting to the W-Lan get an IP per DHCP from pfSense. Their default gateway is the transparent proxy and not the pfSense firewall.
    Initially, I had the Interface of the LAN card on the Hostsystem in the TORPUB bridge, and everything worked just fine. But since my W-Lan doesn't have client separation, i thought it would be nice to replace the Lan card wit a W-Lan card and manage the W-Lan card using pfSense. But before i buy a W-Lan card, i want to configure the Lan card like I would configure the W-Lan card in order to see if it would even work. Therefor, I removed the LAN card interface from the TORPUB bridge on my Hostsystem, and configured PCI Passthrough for the Lan card th the pfSense VM. I created a bridge in pfSense, added the Interface of the Lan card and the interface which leads to the TORPUB bridge on the Hostsystem to the new bridge. Then, I swapped the configuration of the Interface leading to the TORPUB bridge on the Hostsystem whith the interface configuration of the new bridge. Then, I changed net.link.bridge.pfil_bridge to 1 and net.link.bridge.pfil_member to 0. My setup looks now as follows:

    
    Real hardware |                      pfSense                      |                                                       KVM Host                                                 |                      tor transparent proxy
    W-Lan         -> Lan Card -> Bridge -> Interface to TORPUB bridge -> Interface in TORPUB bridge -> TORPUB Bridge  -> Interface of tor transparent proxy container in TORPUB bridge -> Interface of tor transparent proxy container in container -> etc.
    
    

    The problem I have now is, I have a firewall rule on the bridge interface which allows any traffic to the tor transparent proxy, and a firewall rule which allows any traffic from everywhere to everywhere if the gateway is the tor transparent proxy. However, I can see traffic from my W-Lan clients arriving at the tor transparent proxy, and I can see that it sends packets back. I  can See these packets at the interface to the TORPUB bridge, but not at the interface of the lan card. pfSense creates states for those connections, but I think it fails to associate the packages sent back with those states. If I create a firewall rule allowing any trafic to everywhare without any restrictions, it works (but only if I place it before the rule involving the gateway). Also, I don't have any problems with other firewall rules involving gateways on other regular interfaces. Is there any way to avoid a firewall rule which just allows any traffic? I can't leave that rule in a network accessible by a public wifi.



  • After I have read about policy routing in the documentation, I realized that I had misinterpreted the feature. It turned out that it works exactly as it should. Also, I didn't need that bridge on the firewall at all.