Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFS 2.4.4 transparent bridge never changes from Learning to Forwarding

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    2 Posts 1 Posters 228 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tim.rowland
      last edited by

      Use Case: Proof of Concept: Need to filter traffic on a single subnet of public IPs before reaching web server.
      PFSense setup: VM with 3 vNICs. One "Public Outside" , one "Public Inside" and one "Management LAN", all on different VLANS.

      Topology

      12.x.x.1 / 26 {172.16.x.x Management VLAN} 12.x.x.6 / 26
      <GATEWAY> ------ VLAN7 ---------- "Outside Interface" <PFSENSE> "Inside Interface" ------VLAN8----- < WEBSERVER>

      So. I need a single broadcast domain, a single IP subnet, with filtering. The webserver uses the 12.x.x.1 as it's gateway to the interwebs.

      Initial setup:

      • Disabled all NAT
      • No IP addresses assigned to Outside or Inside interfaces. (verified correct VLAN assignments in vSphere with MAC addresses.)
      • Created Bridge (Interfaces -> Assignments-> Bridges) Bridge0Verified R/STP was DISABLED on bridge.
      • Added Outside and Inside interfaces to Bridge
      • Did not create bridge interface.
      • Created firewall rule on both outside and inside interfaces: FROM * TO * on * port. (Wide open just for POC)
      • Created firewall rule on both outside and inside interfaces, allowing all ICMP from * to *.

      My expectation is that the Webserver should be able to ping 12.x.x.1 . With the above configuration, it cannot.
      Under Status -> Interfaces, I see Outside and Inside with the line Bridge (bridge0) "Learning". This suggests an R/STP issue. Don't know why, if R/STP is off....

      Okay. So I create the bridge interface and assign it an IP: 12.x.x.7. Create firewall rules IPv4&6, all protocls, FROM * TO *. all ports. Webserver cannot ping 12.x.x1 OR 12.x.x.7.

      huh.

      (System tunables are set to filter traffic on bridge interfaces, not bridge interface itself, BTW. No traffic is destined for the bridge interface, so why would I? No need for DHCP on this subnet; all static assigned.)

      If I assign 12.x.x.7 to the OUTSIDE interface itself, while it's part of the bridge, I can ping 12.x.x.1, but NOT x.x.6.
      If I assign 12.x.x.7 to the INSIDE interface itself, while it's part of the bridge, I can ping 12.x.x.6, but NOT x.x.1.
      If I assign 12.x.x.7 to the BRIDGE interface, i cannot ping squat.

      The whole time, I continue to see in the Status -> Interfaces : Outside & Inside: Bridge (bridge0) learning.
      It. Never. Goes. To. Forwarding.
      Added the two interfaces as Edge Ports, thinking they'd immediately go to forwarding. Nope.
      Turned on RSTP. Hit save. Alarm bells start going off; nothing is working; oh crap oh crap oh crap. Power down VM immediately. Disconnect vNICs in vSphere, power it on. Connect via mgmt interface, disable RSTP. Re-connect NICs.

      What am I missing here?

      Not sure if this belongs in L2 or Firewall....

      -T-

      1 Reply Last reply Reply Quote 0
      • T
        tim.rowland
        last edited by

        If it helps:
        Environment:

        • VMWare vSphere 6.5
        • Cisco UCS.
        • pfSense and WebServer VM are on the same physical host, connected to the same port group, on the same vSwitch.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.