No Outbound Client Traffic Behind Bridge



  • Hello,

    I have a transparent bridge set up using 1.2.3.-RC3 as follows:

    WAN: 209.123.147.126/25
    LAN: 209.123.147.125/25 (bridged to WAN)

    WAN is plugged into a switch that has ports 1/2 partitioned into an untagged VLAN1. Port 1 is my upstream gateway (209.123.147.1) and port 2 is the pfSense WAN. I can ping out to anywhere on the internet from the pfSense console. LAN is plugged into port 6. Ports 3/4/5/6 are partitioned into an untagged VLAN2 on the same switch. I have not configured VLANs on pfSense.

    pfSense can ping any device on the 209.123.147.0/25 network and they can all ping both the WAN and LAN interfaces of the pfSense box. However, no device can ping the upstream gateway 209.123.147.1 except pfSense.

    I created a WAN rule for web management and to ping the pfSense box and I can access it over the internet. I also created a forward all rule for my IP and logged it, so I see pfSense passing traffic from the WAN to the internal destination IP (209.123.147.5 for example), but I can't communicate because the machines can't pass traffic back out. When I attempt to ping the upstream gateway from an internal machine, I receive a "Destination Unreachable" error from the IP of the NIC.

    I'm lost. I've restored to factory defaults and started over following the Trendchiller guide, but it's still not working. If I move a port 3/4/5 device to VLAN1, they can immediately access the gateway. It's when pfSense is in between they can't.



  • I don't think both interfaces should have IP addresses (certainly not different ones?)



  • @danswartz:

    I don't think both interfaces should have IP addresses (certainly not different ones?)

    Hello Dan,

    Thanks for the reply. The GUI requires an IP on both interfaces. I've tried assigning a bogus 192.168.2.x address to the LAN interface, but that didn't change the behavior, even after a server reboot. I'll give it a shot one more time for kicks. (Changed it to 10.9.0.1, still no go.)

    I'm really at a loss, as I've set pfsense up as a transparent bridge numerous times with no issue.



  • This does not sound right.  I bridged my wireless with the LAN (and vice-versa) and did not have to provide an IP for the wifi.



  • @danswartz:

    This does not sound right.  I bridged my wireless with the LAN (and vice-versa) and did not have to provide an IP for the wifi.

    You don't have to provide an IP for an optional interface (your wifi), but you do for the WAN and LAN interfaces.

    Just to add a little more info, unless someone has another suggestion or perhaps some insight as to why this won't work with my VLAN setup, I've given up. Although I really want this to work as I'm not sure what other than a Linux box using bridge utils will do what I need.



  • I'm going to ask my datacenter to move the upstream cable off the switch and directly onto bge1 (WAN), thus removing the VLAN and placing my 3 LAN devices and the pfSense LAN NIC all on the same VLAN. Hopefully the cable is long enough.



  • good luck, let us know how it goes…



  • Ok, the problem I started this thread for was an incompatibility between my Broadcom NIC and my provider's Cisco. I have that resolved, but now I'm experiencing another issue that is still related to the subject.

    I have a VPN server behind my pfSense box. pfSense is in bridge mode and not performing NAT. External clients make an inbound PPTP connection through pfSense to the VPN server and are assigned a private IP in the 10.8.0.x range. This range is 1:1 NAT'd to a public range by the VPN server.

    I can make inbound VPN connections, but when I do, the client is unable to get back out to the internet. This works perfectly without pfSense in line. If I try to ping Google for example, I see two states in the pfSense logs:

    icmp 64.233.169.147:256 <- 209.123.147.125 0:0 
    icmp 209.123.147.125:256 -> 64.233.169.147 0:0

    209.123.147.125 is 1:1 NAT'd (on the VPN server, not pfSense) to 10.8.0.125. On the VPN server I see outbound states/sessions, but no inbound traffic.

    The VPN server and the pfSense box can both access the internet fine.

    Any ideas? Should I put pfSense into NAT mode and use it to perform the 1:1 NAT'ing?



  • Bump. Any ideas at all?



  • Without looking too closely, I can only say that PPTP is not a very NAT-friendly VPN, since the traffic uses GRE, which has no port numbers.  This can be problematic.



  • The puzzling part is this worked perfectly fine until pfSense was placed in-line. The PPTP connection from client to PPTP server isn't being NAT'd either.



  • no idea, sorry :(



  • @danswartz:

    no idea, sorry :(

    That's makes two of us. :)

    Thanks for the reply.



  • I made a few tweaks on the VPN server (added another NIC and assigned the 1:1 NAT addresses to that NIC) and it's working.


Log in to reply