Issues with firewalling & bridging

maverickws

@mytsuu hi there,

Well looking at your post does look at least a bit similar. You're also bridging two interfaces an internal and an external and trying to pass traffic through it.

I have to say that in my example

opt1 (external)---¡
                  |
                  | bridge0
                  |
opt2 (internal)---!

putting the config on the internal (opt2) interface didn't sound that bad either.
I would (in my mind) take a opt2 network to any rule on the firewall at the opt2 interface, and rules for incoming traffic put at opt1 ...

My problem is, I did test that already and also failed miserably.

I've been killing my head trying to figure out why this isn't working. In the end feels like should be a simple task. Like let's say your ISP router that allows bridge, you enable the bridge and voila get connectivity directly to the outside when you connect to the bridged port. I've been wondering "should the bridge0 interface be unassigned?" that doesn't feel right to if an interface isn't assigned and enable how could it work?

The truth is, I mean, the strong suit of pfSense is being a firewall ... so how is it so hard and user unfriendly to configure it as a firewall without routing?

maverickws

Ok so... got it working.

Actual config is

opt1 (external)---¡
                  |
                  | bridge0
                  |
opt2 (internal)---!

opt1 and opt2 have ip config to none.
bridge0 has ip config and dhcp server enabled

I changed pfil_bridge to 1 while keeping pfil_member 1

net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1

traffic started flowing, rules for incoming traffic set at the OPT1 interface. adding rules at the OPT1 interface do control access to hosts on OPT2.
Also added an any to any rule on the OPT2 interface.

maverickws

Ok ... so I wasn't very happy with having the two tunnables set to one and felt like something was off, so I looked to redo the configuration.
Removed all configs from all interfaces, removed the bridge0 interface, deleted the bridge, and sat thinking about it for a while.

The tunnable for traffic to be filtered at the member interface makes all the sense to me.
I put WAN side rules on the OPT1 interface, and a OPT1_net to any rule on the OPT1 interface. OPT1 and OPT2 are bridged so the DHCP server configured at OPT1 will send broadcasts to all members.

So I did that. Configured the /28 on the OPT1 interface, enabled and configured the DHCP server. I also removed the net.link.bridge.pfil_bridge: 1 back to 0.

On the firewall added a rule with OPT1 net to any on the OPT2 interface.

After configuring OPT1 and DHCP Server, I created a new bridge with OPT1 and OPT2, assigned to a new interface and enabled.

After that and inspecting the traffic I saw two things:

1. a rule was needed at OPT2 to allow DHCP traffic;
2. the bridge interface was actively blocking traffic even tho the tunnable is set to zero.

Just to make sure, I enabled the DHCP rule on OPT2 first, and waited to see if it would still be blocked on the bridge, and it was. So seems like the option for the bridge doesn't work very well or didn't here. But anyway, after allowing any to any on the bridge, everything is working.

So the final config is:

opt1 (external)---¡ -> Static IP & DHCP Server enabled
                  |
                  | bridge0 -> firewall allow any to any
                  |
opt2 (internal)---! -> Allow DHCP traffic and OPT1_net to any

or more granular if preferred. Other rules go on the OPT1 interface like normal

In the end I don't know why I overcomplicated cause the final config seemed fairly simple, not sure what was missed before.