Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall not filtering packets

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erolon
      last edited by

      This is the weirdest thing I have ever seen. Hope someone can help.

      All interfaces without Rules, literally everything blocked and traffic still goes through the firewall.

      I'm using pf sense as a firewall only (not router, no NAT). I bridged WAN and OTP1 (Using LAN just for management) Change the Tunable net.link.bridge.pfil_bridge to 1 (For this I followed a tutorial in this forum)  And I have created a nice setup using openvpn and tunneling between sites. Restrictions and everything for regular users were working good. Admins had access to everything. Life was good until I noticed I could ping the firewall's ip via the WAN interface. I double check the rules at the WAN and I only have one rule to allow traffic via the vpn port. I decided to disable it and add a deny any-any to make sure is not a mistake. Still, traffic goes through, nothing get blocked.

      I got tired of trying and changing stuff. I backed up my config, reset PF Sense to default. Started from scratch, and the problem still persist. I purposely blocked all interfaces are blocked, and I can still ping the bridge ip, and reach computers behind the firewall.

      Also, yes I check the Advanced setting to see if the firewall was disabled but is not.

      Can anyone share some light why is this happening? I constantly make the mistake of locking myself out but I've never seen a problem with the firewall not blocking any traffic.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why are you bridging?

        Did you reassign WAN to the BRIDGE0 interface or is it still assigned to the bridge member interface?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          erolon
          last edited by

          @Derelict:

          Why are you bridging?

          Did you reassign WAN to the BRIDGE0 interface or is it still assigned to the bridge member interface?

          I'm bridging because on this site, my isp gave me a block of public ip addresses but they control the router and gateway of that block. so Im using openvpn as the gateway for remote sites to access this public block.

          Didn't though about reassigning. Just made a backup and factory restore pf sense. Is acting like the firewall was disable. But I check the settings and is not.

          The thing is, when I started the whole setup. Everything was fine. When I create the rule at the wan (after creating and bridging Wan an opt) i checked all ports and just vpn port was allowed. Then when I was done with the setup. Began testing everything, like vpn routes, rules and stuff, thats when I noticed the problem started to happen.

          For a moment I thought maybe too much changes in the config maybe broke something. But If thats the case, shouldn't a factory reset fix it?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I cannot wrap my head around what you are doing based on that description. Sorry.

            Post your net.link.bridge.pfil_bridge and net.link.bridge.pfil_member settings and the rules on the bridge interface and both member interfaces. And a shot of Interfaces > Assign and Interfaces > Assign, Bridges.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              erolon
              last edited by

              @Derelict:

              I cannot wrap my head around what you are doing based on that description. Sorry.

              Post your net.link.bridge.pfil_bridge and net.link.bridge.pfil_member settings and the rules on the bridge interface and both member interfaces. And a shot of Interfaces > Assign and Interfaces > Assign, Bridges.

              net.link.bridge.pfil_bridge - value 1
              net.link.bridge.pfil_member - value 1 (never modified this one)

              WAN - there are no rules defined.
              Bridge - any any
              OPT - any any

              Screenshots are attached.

              UPDATE: Kept messing around with the configuration an I just realized that the WAN rules are being ignored, but the bridge rules aren't. All this time, I always thought even if an interface is a member of a bridge, rules defined on that specific interface would still apply. So if WAN is part of a bridge, traffic coming via WAN would get filtered if rules are configured.

              int.PNG
              int.PNG_thumb
              brg.PNG
              brg.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                What interface is the address you say you can ping from the outside assigned on? WAN, OPT1, or BRIDGE0?

                For a transparent bridge I would set net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1

                Place rules for incoming traffic from the internet on WAN (no rules is OK for nothing passed) and rules for traffic from the "WAN" hosts on OPT1.

                Rules on BRIDGE0 will be ignored. Govern traffic to that address with the rules on WAN and OPT1.

                Ideally I would just tell upstream to route the addresses to you instead and avoid the bridge altogether.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • E
                  erolon
                  last edited by

                  What interface is the address you say you can ping from the outside assigned on? WAN, OPT1, or BRIDGE0?

                  WAN and OPT1 don't have an address. Just the bridge.

                  For a transparent bridge I would set net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1

                  I just tried this one. Deleted the bridge, set the tunable net.link.bridge.pfil_bridge back to 0 (I just deleted the change. Its setup to 0 by default). Restarted PFsense, created the bridge again. Traffic still won't get filtered by the WAN. Just the bridge. (Tried this twice)

                  Ideally I would just tell upstream to route the addresses to you instead and avoid the bridge altogether.

                  I also believe avoiding the bridge would be the best thing to do, but I don't have access to the gateway. The idea was to use pfsense as a firewall, and have openvpn server setup to access the servers behind it that can't be access from public.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Where are you testing from?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • E
                      erolon
                      last edited by

                      @Derelict:

                      Where are you testing from?

                      I setup a laptop with a cable straight to the wan port.

                      I'm out for now but, what if I set the ip address to the wan instead of the bridge? do you think this would help. Or it shouldn't be different?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.