Configuring bridge, client's traffic reaches PfSense but nothing comes back.



  • I am configuring my pfSense for the first time ever, moving from Linux routing box.

    I have a i350-t4 PCIe installed (igb0-3): igb3 is WAN, igb0-2 bridged together for LAN. However, following the official manual for bridging doesn't get me far - I can see the DHCP offers being given to my client:

    Sep 28 20:02:19 pfSense dhcpd: DHCPDISCOVER from 64:4b:f0:01:xx:xx (MaokPro134) via bridge0
    Sep 28 20:02:19 pfSense dhcpd: DHCPOFFER on 10.0.1.10 to 64:4b:f0:01:xx:xx (MaokPro134) via bridge0
    

    However, tcpdump on the client's interface shows it does not receive any response at all from the router – not even the ARP packets.

    Now, if I take one of the eth interfaces (igb2) out of the bridge and assign it explicitly to LAN, the traffic comes through and DHCP works as expected.

    So I tried the following:

    • Manually setting an IP address – traffic still can't reach the server, so it's not an issue with DHCP traffic only.
    • arping to the bridge from the client doesn't return anything.
    • arping the client from the server doesn't return anything, either.
    • all this tested with firewall enabled and disabled.

    Looks to me that the outgoing traffic is somehow blocked for bridge0, except I didn't change anything on top for what the manual says: https://docs.netgate.com/pfsense/en/latest/book/bridging/bridging-and-interfaces.html

    bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    	ether 02:1a:35:4b:55:00
    	inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
    	inet6 fe80::1:1%bridge0 prefixlen 64 scopeid 0x9
    	nd6 options=1<PERFORMNUD>
    	groups: bridge
    	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    	member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
    	        ifmaxaddr 0 port 2 priority 128 path cost 2000000
    	member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
    	        ifmaxaddr 0 port 1 priority 128 path cost 2000000
    
    [2.4.4-RELEASE][root@pfSense.localdomain]/root: pfctl -sa | grep bridge
    scrub on bridge0 all fragment reassemble
    block drop in log on ! bridge0 inet from 10.0.1.0/24 to any
    pass in quick on bridge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on bridge0 inet proto udp from any port = bootpc to 10.0.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on bridge0 inet proto udp from 10.0.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in quick on bridge0 proto tcp from any to (bridge0) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on bridge0 proto tcp from any to (bridge0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on bridge0 proto tcp from any to (bridge0) port = 6666 flags S/SA keep state label "anti-lockout rule"
    pass in quick on bridge0 inet from 10.0.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    bridge0 udp 255.255.255.255:67 <- 0.0.0.0:68       NO_TRAFFIC:SINGLE
    bridge0 udp 0.0.0.0:68 -> 255.255.255.255:67       SINGLE:NO_TRAFFIC
    bridge0 icmp 10.0.1.1:61491 -> 10.0.1.10:61491       0:0
    

    Tunables:

    net.link.bridge.pfil_member 0 
    net.link.bridge.pfil_bridge 1
    

    Also, the interfaces are in fact SR-IOVed from the Proxmox, if that's of any importance.

    Let me know if I can provide any more information. I am a bit puzzled by the complexity of this. From what I understand, it should just work.


Log in to reply