Firewall blocking traffic to bridged interface
This appears to be similar to other posts regarding TCP:RA/A/PA however I'm having the issue with bridged interfaces. The setup we have is 1 public IP assigned to the WAN with a bridge to OPT2 so the customer can grab the remaining IP's on their own firewall. OPT1 is our LAN for VoIP traffic. We have an allow all from the WAN to an Alias defining the remaining IP'sand from what I can tell it's only 443 and 80 affected. In the past a floating rule seems to fix it but in this case only specific rules fix it such as using the Easy Rule.
We use this setup for hundreds of customers and it has only come up 2-3 times so far.
Conservative mode doesn't resolve the issue.
Did you enable filtering on the bridge interface or the incoming and outgoing member interfaces?
We aren't doing any filtering at all on these devices.
And what did you set in System | Advanced | System Tunables
net.link.bridge.pfil_member: Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_bridge: Set to 1 to enable filtering on the bridge interface
With the defaults you still need an allow rule.
That's why I asked but you declined to answer...
nc_tech last edited by nc_tech
I'm sorry I misunderstood your question.
pfil_member is 1
pfil_bridge is 0
We have an allow all from the WAN to an Alias defining the remaining IP's and from what I can tell it's only 443 and 80 affected.
You named this thread "Firewall blocking traffic to bridged interface".
I assume you mean traffic from somewhere on WAN to OPT2 being blocked?
Is there a rule for that? You only mentioned a rule with an alias holding the remaining (public?) IPs.
Other than that it would help to see a drawing of your setup and to get some infos about the routed subnet or whatever you get on your WAN (and how).
You can use https://textik.com for ASCII charts and past them as Code Block to retain formatting. Use IPs from TEST-NET-1/-2/-3 to not uncover your own.
Thank you for your help.
Here's a quick drawing, I think it has everything relevant but please let me know if you need anything further.
The rules I currently have in place are as follows-
action(PASS) - iface(WAN/re0) - protocol(ANY) - source(ANY) - Destination(Alias of IP's ending 114-117)
action(PASS) - iface(re2) - protocol(ANY) - source(ANY) - destination(ANY)
I also duplicated the top rule too a floating as that has fixed this issue in the past but not this time.
This is an example of traffic being blocked-
WAN | | | | | +------|------+ | | | Fiber | | | +-------------+ | | | | 198.51.100.114/29 | | +------|------+ +--------------+ | | re2 | | re0 Static | pfSense |-----------------------| Cust/Router | 198.51.100.115/29 198.51.100.118/29 | | Bridge | | Static +-------------+ +--------------+ | +- | | | re1 | | 192.0.2.0/24 | | VoIP VLAN | | | +------|------+ |Customer Network | | |Default VLAN | Switches |-------------------------------| | | +-------------+
What is 198.51.100.114/29 in your diagram?
Did you get a routed subnet from your ISP or ... ?
nc_tech last edited by nc_tech
Oops forgot to label that and made a mistake with the customer router, carrier is doing routing. .113 is the fiber modem. 114 is the first usable and the customers router. The pfsense is using 118.