Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP over filtering bridge stopped working after upgrade to 2.8.0

    Scheduled Pinned Locked Moved Firewalling
    bridging
    1 Posts 1 Posters 15 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      stefanfl
      last edited by

      We have pfSense set up as a filtering bridge. So as per documentation created a bridge and then set the two system tunables

      • net.link.bridge.pfil_member = 0
      • net.link.bridge.pfil_bridge = 1

      The bridge member interfaces are enabled but unconfigured, the bridge interface gets an IPv4 address via DHCP (as it turns out this is part of the problem we'll get to later).

      On the network there are DHCP servers on one side of the bridge, and DHCP clients on the other side of the bridge. We created a rule to allow DHCP discoveries by allowing UDP traffic with source port 68 and destination port 67.

      This worked fine up to and including version 2.7.2. After upgrading to 2.8.0 however clients on the other side of the bridge stopped receiving DHCP offers. After running some packet capture diagnostics on the two member interfaces I could see that the DHCP discovery packets make it out of the bridge. The DHCP offers however come in, but don't make it through the bridge. DHCP for the bridge interface itself still works fine.

      After inspecting the rules in /tmp/rules.debug I found the following automatically added block rule:

      block out quick proto udp from any port = 67 to any port = 68 tagged "dhcpin" ridentifier 1000000451 label "Prevent routing dhcp responses"

      which lead me to the change where this was introduced.

      Thanks to @jimp for pointing me in the right direction. After reconfiguring the bridge interface with a static IP address, DHCP traffic on the bridge interface is no longer tagged as dhcpin and therefore no longer blocked.

      Maybe this could be worth adding to the bridge documentation?

      Another thing I noticed, at

      • https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#ethernet-rules-on-bridge-interfaces
        the tunable net.link.bridge.ipfw is mentioned. While debugging the problem I came across that and thought for a moment that it fixed the problem. But as it turns out setting this tunable to 1 will reset net.link.bridge.pfil_bridge to 0, effectively disabling all firewall rules on the bridge interface.
        From the FreeBSD manual:
      net.link.bridge.ipfw
	       [...] When  ipfw is enabled, pfil_bridge and pfil_member will
	       be disabled so that IPFW	is not run twice; these	can be	re-en-
	       abled if	desired.

      I think this is definitely something worth mentioning in the linked paragraph of the documentation.

      Anyway, I hope this helps others who might run into this issue after upgrading to 2.8.0.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.