Filtering on wrong bridge interface
(This is a - somewhat modified - cross-post from Reddit)
With this transparent firewall setup -
- pfSense 2.4.3 guest
- Windows 10/VirtualBox 5.2.18 host
- Windows hardware NIC configured:
- NDIS has IPv4+6 disabled, and all other drivers disabled except for vbox bridge driver
- Vbox - bridge mode, promiscuous, virtio paravirtualization
- pfSense -
vtnet0assigned to WAN, DHCP client
- fw rules - none (block almost everything) - except a weird rule to allow web configurator
- Windows virtual host-only interface configured:
- NDIS has IPv4+6 enabled, set to DHCP client
- Vbox - host-only mode, promiscuous, virtio paravirtualization
- pfSense -
vtnet1assigned to LAN, no IP
- fw rules - allow from all to everywhere
- pfSense bridge:
- members WAN and LAN, assigned interface LANBR, no IP
net.link.bridge.pfil_bridgeleft at default 0
- rules: none (no filtering on this interface)
- No DHCP server in pfSense
This works (mostly). But there's a strange problem. pfSense's firewall is convinced that traffic to the web configurator running on the WAN IP is coming from the WAN IF, when it isn't - it's coming from the LAN IF. The behaviour isn't consistent between rules - the 'allow all from LAN' rule shows the traffic that I expect.
tcpdumpshows that the traffic is going where it should: using
tcpdump -e -n -t -i vtnet1shows all of the web requests on the LAN port, not the WAN port.
The LAN anti-lockout rule shows 0B (no traffic). When I add a floating rule to accept traffic from any interface to the WAN IP on :443, it always shows the source IF as being WAN in the logs.
What gives, here? Do I need to set a sticky option in the bridge settings, or something? Should I try moving the assigned IP from the WAN interface to the bridge interface? If I do that I'll probably need to change the
pfil_bridgetweakable, which I'd like to avoid.
It may or may not be related, but I'm seeing warnings about a firewall syntax error:
There were error(s) loading the rules: /tmp/rules.debug:128: syntax error - The line in question reads : pass in quick on $LAN inet from any to ! tracker 0100000101 keep state label "USER_RULE: Allow LAN to any except FW"
So, the "Allow LAN to any except FW" rule had been configured to allow from LAN to any IP except the WAN IP, because the traffic wasn't going there anyway; this rule was apparently broken per message above. Another rule existed on the WAN allowing traffic to the WAN IP on :443. Also, the anti-lockout rule was enabled.
I then did the following:
- Simplified the LAN rule to allow to anywhere
- Disabled the anti-lockout rule
Things started working as expected, temporarily, but then reverted to the old behaviour of choosing the wrong IF to filter on. So I'm still stumped.