Transparent bridge (as firewall) are not working



  • Hello,

    I'm a bit stuck, that would be great if somebody could help me. So my setup is: ESXi server, where I have a vswitch0 for external network (public IP addresses) and a vswitch1 for segmented network (also with the same public IP addresses, but after a few the packet goes through in pfsense) The purpose will be to filter some packets from the external network to the segmented (act as transparent firewall)
    So, the pfSense VM has 3 interfaces: vmx0 (WAN from vswitch0) vmx1 (LAN from vswitch1) and vmx2 (local IP address for management purposes)

    I have done the fellowing:

    • Set WAN and LAN IP addresses to 'none' in Interfaces
    • Created a bridge with WAN and LAN and renamed it to BRIDGE in interfaces
    • Enabled the BRIDGE interface and gave an external IP, then gave a gateway and made it default (it is the router's IP of course) in Interfaces.
    • Disabled outgoing NAT completly in firewall, NAT
    • Set net.link.bridge.pfil_bridge to 1 and net.link.bridge.pfil_member to 0
    • Created a pass rule any any on wan, lan, bridge, mgmt
    • Completly disabled the firewall for testing (in shell, pfctl -d)

    The problem is that the Bridge's IP address can't be pinged, accessed in any way. In the firewall logs, I don't see any special thing (but because I disabled it for testing purposes, I will not see any) and if I make packet capture in bridge0 I just see some ARP requests, nothing more.

    I can also access my router's ARP table and I don't see the pfSense's external IP in there. Also, in pfSense the default gateway is unreachable, but some reason it's ARP table I can see the router's IP and MAC there.

    My pfSense version is 2.4.5-RELEASE-p1

    Anyone could help me please figure it out what am I doing wrong?

    As far as I can remember, the older versions of pfSense made the same setup great.



  • Okey, I found the problem. Actually, it was because the vswitch has some rejected policyes by default. On a Standard/Distributed vSwitch's port groups (which you would like to bridge) set up "MAC address changes" and "Forged transmits" to Accept in the security settings. Then the bridge interface will work.
    This should be a reminder who has the same problem in the VMWare environment.


Log in to reply