• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

No filtering when using bridge

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
5 Posts 2 Posters 558 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    graham1871
    last edited by Dec 3, 2019, 6:51 PM

    Hi,
    I have a pfSense installation which is using one physical network interface, and I have configured a bridge for WAN and LAN in order to have a transparent firewall. I have done this so that all the servers on the network can have the same public gateway and public IP addresses (no NAT). I have disabled NAT.

    I have followed this guidance as I want the bridge to do the filtering:
    net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only.

    The WAN and LAN have no IP addresses.

    I have added an OPT1 interface that is the bridge and it has the IP address and gateway on it.

    The issue I have is that there is no filtering taking place. Everything is allowed from everywhere to the servers despite no rules being in place to allow the traffic.

    If I check the logs there are no details on anything apart from access to the firewall's IP (which is being blocked as expected and only allowed from the IPs I have added).

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Dec 4, 2019, 1:04 AM

      What did you bridge with one physical interface?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • G
        graham1871
        last edited by Dec 4, 2019, 10:54 AM

        Sorry - that's a mistake on my first message, I should have put one public subnet. The bridge is the WAN to LAN. I have configured it so that neither has an IP address and the IP address is instead on the bridge (OPT1). The firewall and all the machines behind it have public IP addresses and all use a public gateway.

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Dec 4, 2019, 7:19 PM

          net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1

          Right. In that configuration you want to filter on the members, not the bridge interface. There is no filtering between the members there, only into the bridge interface. If something is going from one bridge member on the WAN to a bridge member on the LAN, the traffic never passes into the bridge interface itself.

          So if you want to filter on the WAN to members on the bridged LAN, you should be filtering on the WAN member.

          The filters on the bridge itself will apply to traffic to the bridge's address(es).

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            graham1871
            last edited by Dec 5, 2019, 4:36 PM

            Thank you for your help.

            It does seem to be up and running now!
            Thanks.

            1 Reply Last reply Reply Quote 1
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received