No outbound traffic in transparant bridge mode

mgielissen

The server is using the upstream gateway (all public IP addresses).

stephenw10

Do you see the outbound traffic blocked in the firewall log?

If so what exactly doe the block show? I expect it to show flagged TCP packets.

Steve

mgielissen

There is no traffic blocked in the firewall log, traffic is passed according to the log when loggin is turned on.

stephenw10

Then I would run a packet capture on WAN and see what's actually leaving and coming back.

What are you actually attempting from the server that is failing? How is it failing?

Steve

mgielissen

I try to ssh to an other server on the WAN side of pfsense, only ping works and inbound traffic.

packet dump:

a.a.a.a.40684 > a.a.a.b.22: Flags [S], cksum 0x4434 (incorrect -> 0xca78), seq 4262675153, win 29200, options [mss 1460,sackOK,TS val 2616871823 ecr 0,nop,wscale 7], length 0

stephenw10

OK, so no reply packets coming back at all. Is that servers MAC/IP in the ARP table?
Can you ssh to it from pfSense?

If there is a subnet error on one of those machine it might be replying to it's gateway and hence you have asymmetric routing.

Steve

mgielissen

I can do SSH from pfsense to the server on the wan side. From the server on the wan side I can do SSH to the internal server.

The ARP table only shows the bridge interface OPT1 and the gateway from the provider.

mgielissen

I can also pfsense from the internal server, then his mac address pops up in the arp table

stephenw10

Can you ssh to pfSense from the WAN side sever to pfSense?

There are no reply packets at all so either the server is not replying at all or it's replying via a different route.

If there was some subnet mask issue or a bad route I would not expect pfSense to make any difference there. It would still fail if you removed pfSense and connected the internal server directly, is that the case?

Steve

mgielissen

I can SSH from WAN to pfsense, the server works also when connected directly. When in Bridge mode, the subnet or gateway shouldn't matter?

mgielissen

pfsense runs in a vm on proxmox, can that be a problem with the linux bridge proxmox uses?

I did a second setup with pfsense in NAT mode and a local IP address on the LAN side, same problem with outbound connection. I can only ping.

EDIT: Found the solution: disable "Hardware Checksum Offloading" for Proxmox VirtIO interface