Bridged Lan to Wan not routing traffic



  • So I'm trying to create a setup that has a single WAN in which has a few public IP's available which should bridge over to what i have called "Statics", which is just OPT2 which will go to a switch that needs to simply work as a transparent firewall.

    I then have 2 dhcp networks, one called DHCP and one called Phones which are just a simple NAT'd dhcp addresses for internet access which works fine.

    The static bridge however I can't seem to get working despite everything I've read on the internet, I've created the bridge and disabled NAT for that range (at least I think so) and the virtual machine I have on the static adapter get's an IP address from my router but the traffic simply isn't routing.

    I've attached a screen grab of what I think are all the relevant parts but I'm still not getting traffic across the bridge even though DHCP seems to go across fine :/ I've tried all sorts of configurations with the tunables but not getting anywhere

    Obviously I've added firewall rules to allow all from all on each interface. Any ideas would be fab :)

    0_1538152546718_wan.png
    0_1538152603993_dhcp.png
    0_1538152611700_Phones.png
    0_1538152618669_statics.png
    0_1538152581188_staticbridge.png
    0_1538152634026_nat.png
    0_1538152641895_tunables.png



  • I don't understand what you're trying to do, but I did notice that for your PHONES Interface, you've set the subnet mask to 255.255.255.255

    Your DNS servers 10.120.10.12 and 10.0.10.254 - did you specify them or are they handed to you via DCHP from your ISP?

    Are you using intentionally using IPV6?

    Can you try to explain what you're trying to achieve? It seems like you're going about it (whatever it is) the hard way and I'm almost certain that it could be done in a much simpler way, but you'll need to explain in detail what you're trying to do and why, and also what hardware you're using.



  • I've made a diagram to try and explain what I'm trying to achieve 0_1538242816673_layout.png

    Basically the statics to WAN interfaces need to be bridged so devices can be assigned a public IP from behind pfsense. The overall reason for this is so that we can traffic shape to ensure that the Phones and DHCP networks get a minimum of X bandwidth.

    I'm not intentionally using IPv6, it's just a virtualbox setup and it defaults with it on but it's not needed. As for DNS that's just the office network so I wouldn't worry about them :)

    Thanks


  • Netgate

    And the default gateway of, say, 10.0.10.2 is 10.0.10.254, not pfSense (10.0.10.121) correct?

    Have you done any packet captures to see where the flow is breaking down? For instance when upstream ARPs for 10.0.10.2 does the request appear on WAN and flow to the STATICS interface? Is there a response? Does that response go out WAN?



  • Appologies on the delay getting back to you on this, been a bit busy with things.

    So I've done a lot more digging and it seems that traffic is going out, back into the pfsense box but doesn't seem to get back to my VM and I'm honestly out of my depth trying to work out why.

    So relevant info is below, 10.0.10.254 is the external gateway and does DHCP, so my VM 10.0.10.121 gets it's IP from our office router ok but pings and normal internet traffic fails. It would appear that the WAN interface is getting the ping reply but it's not going across to the statics or the bridge interface and I cant work out why

    pfTop: Up State 1-17/17, View: default, Order: bytes
    PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
    icmp      Out 10.0.10.121:32235             10.0.10.254:32235                       0:0            00:07:06  00:00:09     1643    46004
    icmp      Out 10.0.10.121:55748             10.0.10.254:55748                       0:0            00:07:03  00:00:09     1640    45920
    

    Packet Capture WAN:
    11:40:12.494284 IP 10.0.10.121 > 10.0.10.254: ICMP echo request, id 32235, seq 1242, length 8
    11:40:12.494450 IP 10.0.10.121 > 10.0.10.254: ICMP echo request, id 55748, seq 1238, length 8
    11:40:12.509484 IP 10.0.10.254 > 10.0.10.121: ICMP echo reply, id 32235, seq 1242, length 8
    11:40:12.510505 IP 10.0.10.254 > 10.0.10.121: ICMP echo reply, id 55748, seq 1238, length 8
    11:40:13.651769 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46

    Packet Capture Bridge:
    11:48:49.284145 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:48:50.307864 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:48:51.331496 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46

    Packet Capture Statics:
    11:50:30.660879 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:50:31.688384 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:50:32.709554 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:50:33.733321 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46
    11:50:34.757094 ARP, Request who-has 10.0.10.254 tell 10.0.10.124, length 46

    VM tcp dump for icmp:
    0_1538651044673_tcpdump icmp.png

    I am i right in thinking that incoming flow from WAN to the Statics is what's failing? Are there other diagnostic steps I can take to work this out?

    I'll keep trying this afternoon to see if i can get anywhere.

    Thanks