Confused regarding firewall on bridged interfaces.

  • I currently have the following setup (skip to TL;DR for the questions)

    WAN (wan) -> pppoe0 -> v4/PPPoE: v6/DHCP6: 2001:44b8:1050:998:20d:b9ff:fe45:16a0/64 
    LAN (lan) -> bridge0 -> v4: 
    MODEMACCESS (opt1) -> igb0 -> v4: 
    WIFIAP (opt2) -> igb2 -> NO-IP
    LANPORT (opt3) -> igb1 -> NO-IP

    Names are fairly self explanatory, but it's notable that:

    • WIFIAP is connected to a Unifi AP AC Lite

    • MODEMACCESS is there so  I can access the web interface of my modem. It's not relevant to this question.

    bridge0 contains the members

    • WIFIAP


    Firewall rules on LAN are the usual defaults, but with logging on:

    • Anti-lockout rule

    • IPV4 all allowed - log

    • IPV6 all allowed - log

    Firewall rules on LANPORT:

    • Allow IPv4 and IPv6 all allowed - log

    Firewall rules on WIFIAP:

    • IPv4/6 - allow DHCP ports anywhere (DHCP and  DHCP6 ports)

    • IPV4 allow all from blessed ipv4 addresses - log

    • IPv4 allow all from the static DHCP address of my unifi AP (to allow configuration)

    There are also a bunch of QoS rules created by the traffic shaper but I presume that these don't affect anything here as they are all match rules for the WAN interface.

    What I want to be able to do is:

    • Have hosts on LANPORT be able to do whatever they like (typical LAN allow any behaviour).

    • Have specific hosts ("blessed hosts") on WIFIAP be able to do whatever they like.

    • Restrict other hosts on WIFIAP to only be able to connect to Squid (and essential bits like DHCP).

    • Allow the "blessed" hosts on WIFIAP to communicate using multicast, etc. with hosts on LANPORT (this is why I'm not just making two subnets and routing)

    • To be able to do this without knowing in advance which IP addresses will be on WIFIAP and which will be on LANPORT (both ports use the same DHCP pool so AFAIK this is unknowable)

    I've noted the following in the pfSense documentation:

    By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of and under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only.

    Likewise I've noted that most guides on bridging say to turn off pfil_member and turn on pfil_bridge. From my reading, it would seem that this makes sense iff you intend to have one set of rules for the entire bridge.

    It would seem to me that what I want is the default behaviour, where rules are applied on bridge member interfaces rather than on the bridge interface itself.

    What I'm observing is rather confusing, however. What I see is:

    • Hosts on WIFIAP are able to access the bridge interface (I can't see any exceptions to this) due to the "default allow LAN to any rule" on the LAN interface (presumably because that's the bridge's ip and the bridge's interface). This seems to mean i can't protect my router from my wireless network, which is a bummer.

    • Hosts on WIFIAP are able to access the Internet (log says this is due to "default allow LAN to any rule" on the LAN interface). This ignores any deny rules I put in place to prevent this on the WIFIAP interface.

    • Hosts on WIFIAP are unable to access other hosts on the LAN unless I add them to the "blessed" alias (this is what I want). Curiously this is being dropped by the automatically created "antispoof log for $LAN tracker 1000002620" rule

    • EDIT: Hosts on WIFIAP can ping hosts on LANPORT…. as long as the stoopid win10 machine hasn't decided it was a "public" network. D'oh!

    • Hosts on WIFIAP are blocked by antispoofing when sending multicast…. BUT the same multicast connection is passed on the LAN by the default allow LAN to any rule!

    • Hosts on LANPORT are able to ping and SSH to hosts on WIFIAP.

    • Unless I explicitly add a rule, DHCP is blocked (and probably any other broadcast) on the WIFIAP interface by the default deny rule

    I am having difficulty understanding why the above behaviours are happening. Specifically:

    • Why are connections to the bridge IP not being filtered by "in" rules when they enter the WIFIAP interface?

    • Why does multicast make it to the LAN interface when it was dropped on the WIFIAP?

    • EDIT: Removed question about ping as it has been resolved.

    • Why is all traffic destined for the Internet not being filtered by WIFIAP in rules upon entering the WIFIAP interface?

    • Why are LAN filter rules being run at all when

    • Is what I am aiming to achieve actually possible? Or should I just give up and plug the AP into the switch on LANPORT and not bother trying to filter?

Log in to reply