Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justsomeguy
      last edited by

      i have a 6 port pfsense box and i wanted to use one of the spare ports as a second bridged LAN port. i know there's a performance hit compared to using a switch, but i'm OK with this.

      i created the LAN interface, provided static IP, and created DHCP server. i created a LAN2 interface without any IP, then created a bridge of LAN and LAN2. if you are reading this and looking to do the same, the documentation seems to suggest that assigning the static IP and DHCP server to the bridge itself and not the member interfaces is preferred, FYI (https://docs.netgate.com/pfsense/en/latest/bridges/interfaces.html).

      the system tunables described at the link below are in their default configuration to packet filtering is done at the interface, not at the bridge. https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

      i saw in the pfsense documentation in this configuration, you have to add a broadcast allow rule for DHCP. i have other broadcast services i want to bridge like file share, sonos, airplay, etc., so i instead created an allow from any to any rule on LAN2. https://docs.netgate.com/pfsense/en/latest/bridges/internal-networks.html#dhcp-and-internal-bridges

      i did also see the post below that describes how pfsense creates rules not shown in the GUI to allow DHCP to work on a standalone interface. https://www.reddit.com/r/PFSENSE/comments/him1qz/no_rules_needed_for_dhcp/

      i should note, everything seems to work, but i just want to make sure i understand the implications of how this is setup.

      so i guess my questions are:

      1. it seems on a standalone (non-bridged) interface by default pfsense creates rules to handle DHCP and drops any other broadcast packets, is that true?
      2. do i have to create a rule to allow broadcast packets in on LAN to get them to be passed to LAN2? the default LAN rules are in place (allow from LAN net to any).
      3. i guess pfsense must allow non-IP broadcast messages such as ARP without any rules within a bridge, right?
      4. are there any downsides to creating the allow from any to any rule that i did on LAN2? isn't this how a bridge/dumb switch would normally act?
      5. i assume pfsense doesn't allow broadcast packets to leave the bridge to non-member interfaces, is this true?
      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @justsomeguy
        last edited by

        @justsomeguy

        Pfsense should not be passing any broadcasts. Broadcasts are normally limited to a single subnet. On the other hand, multicasts may be passed, if so configured. Arp has nothing to do with IP, which it predates. Regardless, there's no reason for it to go beyond the single network.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • J
          justsomeguy
          last edited by

          ARP is a layer 2 broadcast.

          @JKnott so based on your response to original questions, can you confirm?

          1. yes
          2. yes
          3. unclear
          4. unclear
          5. yes
          JKnottJ 2 Replies Last reply Reply Quote 0
          • JKnottJ
            JKnott @justsomeguy
            last edited by

            @justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

            yes
            Yes
            yes
            No, you do not pass broadcasts between subnets
            unclear
            Pfsense does not pass ARP, etc. under any circumstances
            unclear
            There's another thread about using pfsense as a bridge. It's a waste of effort. If you want a switch, buy a switch. They're cheap.
            yes
            Pfsense has absolutely nothing to do with broadcasts. It should not be passing them anywhere

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • J
              justsomeguy
              last edited by

              found some good information in the freebsd documentation on bridges...still reading.

              https://www.freebsd.org/cgi/man.cgi?bridge(4)

                   ARP and REVARP packets are	forwarded without being	filtered and others
                   that are not IP nor IPv6 packets are not forwarded	when pfil_onlyip is
                   enabled.  IPFW can	filter Ethernet	types using mac-type so	all packets
                   are passed	to the filter for processing.
              
              net.link.bridge.pfil_onlyip  Controls the handling	of non-IP packets
              				  which	are not	passed to pfil(9).  Set	to 1
              				  to only allow	IP packets to pass (subject to
              				  firewall rules), set to 0 to unconditionally
              				  pass all non-IP Ethernet frames.
              
              1 Reply Last reply Reply Quote 0
              • J
                justsomeguy
                last edited by

                Multicast and broadcast packets are always forwarded to all in-
                     terfaces that are part of the bridge.  For	unicast	traffic, the bridge
                     learns which MAC addresses	are associated with which interfaces and will
                     forward the traffic selectively.
                

                http://www.openbsd.org/faq/pf/filter.html#intro

                Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. The criteria that pf(4) uses when inspecting packets are based on the Layer 3 (IPv4 and IPv6) and Layer 4 (TCP, UDP, ICMP, and ICMPv6) headers. The most often used criteria are source and destination address, source and destination port, and protocol.
                
                1 Reply Last reply Reply Quote 0
                • J
                  justsomeguy
                  last edited by

                  so i think i've learned some things. to my original questions....

                  1. it seems on a standalone (non-bridged) interface by default pfsense creates rules to handle DHCP and drops any other broadcast packets, is that true?

                  no. the default pfsense rules allow any layer 3 broadcast packets IF the source is the LAN net. DHCP is a unique exception because the source is 0.0.0.0 for which a rule is automatically created, but not shown in the GUI list. layer 2 packets are accepted by pfsense but not routed (since this isn't really possible)

                  1. do i have to create a rule to allow broadcast packets in on LAN to get them to be passed to LAN2? the default LAN rules are in place (allow from LAN net to any).

                  for layer 2, no, this is what the bridge does and pf does not interfere. for layer 3 the default rules allow it, but can be modified as desired.

                  1. i guess pfsense must allow non-IP broadcast messages such as ARP without any rules within a bridge, right?

                  yes

                  1. are there any downsides to creating the allow from any to any rule that i did on LAN2? isn't this how a bridge/dumb switch would normally act?

                  still looking for input here, but it seems DHCP is a unique broadcast exception instead of one of many. i did some packet capture and most other broadcast packets have a LAN net source address and would be allowed with the default rule. i guess the implication of allow from any to any is that IP packets from a source address may be routed or attempted to be routed. this may include bad IPs or IPs intended to be link local.

                  1. i assume pfsense doesn't allow broadcast packets to leave the bridge to non-member interfaces, is this true?

                  layer 2 broadcast packets won't leave the bridge. layer 3 broadcasts will be filtered and routed according to rules.

                  1 Reply Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    @justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

                    no. the default pfsense rules allow any layer 3 broadcast packets IF the source is the LAN net.

                    But they don't go anywhere..

                    or layer 3 the default rules allow it, but can be modified as desired.

                    Again they don't go anywhere... They are broadcast, they don't get routed to anything.

                    layer 3 broadcasts will be filtered and routed according to rules.

                    Broadcasts are not routed..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @justsomeguy
                      last edited by

                      @justsomeguy said in little confused about how pfsense handles broadcast packets, particularly with bridges. couple questions...:

                      ARP is a layer 2 broadcast.

                      Getting back to my original point, ARP has nothing to do with IP. All it does is map an IP address to a MAC address, but can be used for other things to. Regardless, it's never let off the local LAN, as anywhere else it's meaningless. There are plenty of other layer 2 things that have nothing to do with IP. For example, if you have a managed switch, you will likely see spanning tree frames or equivalent.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.