Can't get packet filter to work on bridge member interfaces



  • Hello - I am having a terrible time getting packet filtering to work on member interfaces of a bridge. Would appreciate some additional eyeballs to review and advise.

    I'm using pfsense 2.4.4-p3.

    Tunables:
    net.link.bridge.ipfw = 1
    net.link.bridge.pfil_member = 1
    net.link.bridge.pfil_bridge = 0

    (https://www.freebsd.org/cgi/man.cgi?bridge(4) says the first tunable must be enabled for dummynet support, which is a requirement for my setup)

    I have a functioning WAN interface assigned on igb0.

    I have interface igb1.300 (VLAN 300 on igb1) defined with no IP address set. This is effectively my "LAN" interface.

    I create bridge0 and set igb1.300 as its only member.

    I create an interface for bridge0 and assign it a valid public IP address for my upstream connection (1.1.1.1/24 for example)

    I have a client node entering pfsense on igb1.300 with a public IP address in the same subnet (1.1.1.2/24 for example, with gateway 1.1.1.1)

    I create a firewall rule (pass any-any) on igb1.300. No traffic flows, and firewall logs show default deny being hit on the bridge0 interface.

    If I move the pass rule from igb1.300 to bridge0 it hits the pass rule and traffic flows.

    If I delete the bridge and use only igb1.300 with the same IP address and firewall rule directly on igb1.300 then the pass rule gets hit and traffic flows.

    Based on the tunables I am expecting this to function opposite to how it actually is functioning. Am I missing something in the config to make it work as expected? Are my expectations correct for how it should function?

    NOTE: I already know and agree in principle that bridges in pfsense are evil and should be avoided. With that said, I still need to figure out why this particular configuration is not functioning as expected. Thanks in advance.



  • Anyone?

    Can anyone at least confirm that this should be working, despite the fact that it very much isn't working?

    Very much appreciate anything that can help point me in the right direction here. Everything I've found online suggests it should be working but I haven't found anything conclusive.


Log in to reply