Firewall not filtering packets



  • This is the weirdest thing I have ever seen. Hope someone can help.

    All interfaces without Rules, literally everything blocked and traffic still goes through the firewall.

    I'm using pf sense as a firewall only (not router, no NAT). I bridged WAN and OTP1 (Using LAN just for management) Change the Tunable net.link.bridge.pfil_bridge to 1 (For this I followed a tutorial in this forum)  And I have created a nice setup using openvpn and tunneling between sites. Restrictions and everything for regular users were working good. Admins had access to everything. Life was good until I noticed I could ping the firewall's ip via the WAN interface. I double check the rules at the WAN and I only have one rule to allow traffic via the vpn port. I decided to disable it and add a deny any-any to make sure is not a mistake. Still, traffic goes through, nothing get blocked.

    I got tired of trying and changing stuff. I backed up my config, reset PF Sense to default. Started from scratch, and the problem still persist. I purposely blocked all interfaces are blocked, and I can still ping the bridge ip, and reach computers behind the firewall.

    Also, yes I check the Advanced setting to see if the firewall was disabled but is not.

    Can anyone share some light why is this happening? I constantly make the mistake of locking myself out but I've never seen a problem with the firewall not blocking any traffic.

    Thanks in advance.


  • LAYER 8 Netgate

    Why are you bridging?

    Did you reassign WAN to the BRIDGE0 interface or is it still assigned to the bridge member interface?



  • @Derelict:

    Why are you bridging?

    Did you reassign WAN to the BRIDGE0 interface or is it still assigned to the bridge member interface?

    I'm bridging because on this site, my isp gave me a block of public ip addresses but they control the router and gateway of that block. so Im using openvpn as the gateway for remote sites to access this public block.

    Didn't though about reassigning. Just made a backup and factory restore pf sense. Is acting like the firewall was disable. But I check the settings and is not.

    The thing is, when I started the whole setup. Everything was fine. When I create the rule at the wan (after creating and bridging Wan an opt) i checked all ports and just vpn port was allowed. Then when I was done with the setup. Began testing everything, like vpn routes, rules and stuff, thats when I noticed the problem started to happen.

    For a moment I thought maybe too much changes in the config maybe broke something. But If thats the case, shouldn't a factory reset fix it?


  • LAYER 8 Netgate

    I cannot wrap my head around what you are doing based on that description. Sorry.

    Post your net.link.bridge.pfil_bridge and net.link.bridge.pfil_member settings and the rules on the bridge interface and both member interfaces. And a shot of Interfaces > Assign and Interfaces > Assign, Bridges.



  • @Derelict:

    I cannot wrap my head around what you are doing based on that description. Sorry.

    Post your net.link.bridge.pfil_bridge and net.link.bridge.pfil_member settings and the rules on the bridge interface and both member interfaces. And a shot of Interfaces > Assign and Interfaces > Assign, Bridges.

    net.link.bridge.pfil_bridge - value 1
    net.link.bridge.pfil_member - value 1 (never modified this one)

    WAN - there are no rules defined.
    Bridge - any any
    OPT - any any

    Screenshots are attached.

    UPDATE: Kept messing around with the configuration an I just realized that the WAN rules are being ignored, but the bridge rules aren't. All this time, I always thought even if an interface is a member of a bridge, rules defined on that specific interface would still apply. So if WAN is part of a bridge, traffic coming via WAN would get filtered if rules are configured.





  • LAYER 8 Netgate

    What interface is the address you say you can ping from the outside assigned on? WAN, OPT1, or BRIDGE0?

    For a transparent bridge I would set net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1

    Place rules for incoming traffic from the internet on WAN (no rules is OK for nothing passed) and rules for traffic from the "WAN" hosts on OPT1.

    Rules on BRIDGE0 will be ignored. Govern traffic to that address with the rules on WAN and OPT1.

    Ideally I would just tell upstream to route the addresses to you instead and avoid the bridge altogether.



  • What interface is the address you say you can ping from the outside assigned on? WAN, OPT1, or BRIDGE0?

    WAN and OPT1 don't have an address. Just the bridge.

    For a transparent bridge I would set net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1

    I just tried this one. Deleted the bridge, set the tunable net.link.bridge.pfil_bridge back to 0 (I just deleted the change. Its setup to 0 by default). Restarted PFsense, created the bridge again. Traffic still won't get filtered by the WAN. Just the bridge. (Tried this twice)

    Ideally I would just tell upstream to route the addresses to you instead and avoid the bridge altogether.

    I also believe avoiding the bridge would be the best thing to do, but I don't have access to the gateway. The idea was to use pfsense as a firewall, and have openvpn server setup to access the servers behind it that can't be access from public.


  • LAYER 8 Netgate

    Where are you testing from?



  • @Derelict:

    Where are you testing from?

    I setup a laptop with a cable straight to the wan port.

    I'm out for now but, what if I set the ip address to the wan instead of the bridge? do you think this would help. Or it shouldn't be different?


Log in to reply