Bridge mode and wan/lan rules does not work

  • Hi,
    i use pfsense 1.2.3-RELEASE  configured in bridge mode.

    I am testing bridge mode and i have a situation like this:

    pfsense ip = wan.ip(bge0) / lan.ip(bge1) (but in bridge it have to use only wan.ip)
    server ip = srv.ip
    my ip = my.ip
    internet gw =

    • pfsense in bridge mode is connected on both nic to a 2960 cisco switch

    • server is connected to another switch 2960 uplinked and setup as gw WAN IP of pfsense.

    After i add on LAN rules that ALL can go outside and on WAN rules that server must have 22 port open to all, just LAN rules works fine for outgoing traffic but for incoming traffic nothing to do, just icmp.

    On shell i can see my rules:

    @38 pass in quick on bge0 reply-to (bge0 inet from my.ip to any flags S/SA keep state label "USER_RULE: Damned"
      [ Evaluations: 101      Packets: 40        Bytes: 23746      States: 1    ]
      [ Inserted: uid 0 pid 2689 ]

    @39 pass in quick on bge1 all flags S/SA keep state label "USER_RULE: LAN ALL"
      [ Evaluations: 100      Packets: 167      Bytes: 13630      States: 3    ]
      [ Inserted: uid 0 pid 2689 ]


    @45 block drop in log quick all label "Default deny rule"
      [ Evaluations: 97        Packets: 97        Bytes: 5166        States: 0    ]
      [ Inserted: uid 0 pid 2689 ]
    @46 block drop out log quick all label "Default deny rule"
      [ Evaluations: 0        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: uid 0 pid 2689 ]

    When i try to access from my.ip on srv.ip i can see on system logs > firewall message:

    @48 block drop in log quick all label "Default deny rule"

    I also checked "bypass firewall rules for traffic on same interface" but nothing works.

    So.. my questions are:

    1. Why my custom rules are not applied but they are present ?

    2. Why @48 rule block all but on shell there is NO @48 but at least @46 ?

    Waiting for your reply

    Best regards

  • Can you post a diagram showing what you're talking about, ideally with the actual IP addresses and netmasks.

    It would help if you were also to post screenshots of both the WAN and LAN firewall rules.  Without both the real IP addresses and netmasks and the screenshots it will be very hard to help you.

  • Hi,
    i receive answer on mailing list so i can consider this problem closed.

    Answer was:

    "You can't do that with a bridge, a bridge is transparent. The gateway
    must be something upstream. If you want a setup like that, you need to
    set it up to properly route so the gateway is on an inside interface."

    Thanks anyway

Log in to reply