Configuring bridge, client's traffic reaches PfSense but nothing comes back.

kultigsptrizigfrisch

I am configuring my pfSense for the first time ever, moving from Linux routing box.

I have a i350-t4 PCIe installed (igb0-3): igb3 is WAN, igb0-2 bridged together for LAN. However, following the official manual for bridging doesn't get me far - I can see the DHCP offers being given to my client:

Sep 28 20:02:19 pfSense dhcpd: DHCPDISCOVER from 64:4b:f0:01:xx:xx (MaokPro134) via bridge0
Sep 28 20:02:19 pfSense dhcpd: DHCPOFFER on 10.0.1.10 to 64:4b:f0:01:xx:xx (MaokPro134) via bridge0

However, tcpdump on the client's interface shows it does not receive any response at all from the router – not even the ARP packets.

Now, if I take one of the eth interfaces (igb2) out of the bridge and assign it explicitly to LAN, the traffic comes through and DHCP works as expected.

So I tried the following:

• Manually setting an IP address – traffic still can't reach the server, so it's not an issue with DHCP traffic only.
• arping to the bridge from the client doesn't return anything.
• arping the client from the server doesn't return anything, either.
• all this tested with firewall enabled and disabled.

Looks to me that the outgoing traffic is somehow blocked for bridge0, except I didn't change anything on top for what the manual says: https://docs.netgate.com/pfsense/en/latest/book/bridging/bridging-and-interfaces.html

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 02:1a:35:4b:55:00
	inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
	inet6 fe80::1:1%bridge0 prefixlen 64 scopeid 0x9
	nd6 options=1<PERFORMNUD>
	groups: bridge
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 2 priority 128 path cost 2000000
	member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 1 priority 128 path cost 2000000

[2.4.4-RELEASE][root@pfSense.localdomain]/root: pfctl -sa | grep bridge
scrub on bridge0 all fragment reassemble
block drop in log on ! bridge0 inet from 10.0.1.0/24 to any
pass in quick on bridge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on bridge0 inet proto udp from any port = bootpc to 10.0.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on bridge0 inet proto udp from 10.0.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in quick on bridge0 proto tcp from any to (bridge0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on bridge0 proto tcp from any to (bridge0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on bridge0 proto tcp from any to (bridge0) port = 6666 flags S/SA keep state label "anti-lockout rule"
pass in quick on bridge0 inet from 10.0.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
bridge0 udp 255.255.255.255:67 <- 0.0.0.0:68       NO_TRAFFIC:SINGLE
bridge0 udp 0.0.0.0:68 -> 255.255.255.255:67       SINGLE:NO_TRAFFIC
bridge0 icmp 10.0.1.1:61491 -> 10.0.1.10:61491       0:0

Tunables:

net.link.bridge.pfil_member 0 
net.link.bridge.pfil_bridge 1

Also, the interfaces are in fact SR-IOVed from the Proxmox, if that's of any importance.

Let me know if I can provide any more information. I am a bit puzzled by the complexity of this. From what I understand, it should just work.