Filtering on wrong bridge interface
-
(This is a - somewhat modified - cross-post from Reddit)
With this transparent firewall setup -
- pfSense 2.4.3 guest
- Windows 10/VirtualBox 5.2.18 host
- Windows hardware NIC configured:
- NDIS has IPv4+6 disabled, and all other drivers disabled except for vbox bridge driver
- Vbox - bridge mode, promiscuous, virtio paravirtualization
- pfSense -
vtnet0
assigned to WAN, DHCP client - fw rules - none (block almost everything) - except a weird rule to allow web configurator
- Windows virtual host-only interface configured:
- NDIS has IPv4+6 enabled, set to DHCP client
- Vbox - host-only mode, promiscuous, virtio paravirtualization
- pfSense -
vtnet1
assigned to LAN, no IP - fw rules - allow from all to everywhere
- pfSense bridge:
- members WAN and LAN, assigned interface LANBR, no IP
net.link.bridge.pfil_bridge
left at default 0- rules: none (no filtering on this interface)
- No DHCP server in pfSense
This works (mostly). But there's a strange problem. pfSense's firewall is convinced that traffic to the web configurator running on the WAN IP is coming from the WAN IF, when it isn't - it's coming from the LAN IF. The behaviour isn't consistent between rules - the 'allow all from LAN' rule shows the traffic that I expect.
Even
tcpdump
shows that the traffic is going where it should: usingtcpdump -e -n -t -i vtnet1
shows all of the web requests on the LAN port, not the WAN port.The LAN anti-lockout rule shows 0B (no traffic). When I add a floating rule to accept traffic from any interface to the WAN IP on :443, it always shows the source IF as being WAN in the logs.
What gives, here? Do I need to set a sticky option in the bridge settings, or something? Should I try moving the assigned IP from the WAN interface to the bridge interface? If I do that I'll probably need to change the
pfil_bridge
tweakable, which I'd like to avoid. -
It may or may not be related, but I'm seeing warnings about a firewall syntax error:
There were error(s) loading the rules: /tmp/rules.debug:128: syntax error - The line in question reads [128]: pass in quick on $LAN inet from any to ! tracker 0100000101 keep state label "USER_RULE: Allow LAN to any except FW"
-
So, the "Allow LAN to any except FW" rule had been configured to allow from LAN to any IP except the WAN IP, because the traffic wasn't going there anyway; this rule was apparently broken per message above. Another rule existed on the WAN allowing traffic to the WAN IP on :443. Also, the anti-lockout rule was enabled.
I then did the following:
- Simplified the LAN rule to allow to anywhere
- Disabled the anti-lockout rule
Things started working as expected, temporarily, but then reverted to the old behaviour of choosing the wrong IF to filter on. So I'm still stumped.