Unexpected bridge behaviour

prodius

I use pfsense 1.0.1, it's a clean install.

When I start, the LAN has ip 192.168.1.80. I give the WAN ip 192.168.1.81 and put LAN into bridge with WAN. I can ping and browse to the config on both ip's, the bridge is functional (no filtered bridge). My laptop is on a switch on the LAN side.

From previous posts I concluded that the WAN has a higher weight in a bridge, so the bridge gets the ip from WAN and the ip from LAN is ignored. But why can I still use the LAN ip? When I change the LAN ip to something meaningless like 1.2.3.4/31, the bridge is functional, but I can't ping/browse anymore to the 192.168.1.81, ifconfig on the shell states that the bridge has no ip whatsoever, even after a reboot.

update: block private ip is off, my source (not that recent though): http://forum.pfsense.org/index.php/topic,252.0.html
update: setting WAN and LAN ip to the same works also, this seems to be the best solution right now

Second thing: filtered bridge mode.
I have a pass all rule on WAN and LAN, when filtered bridge is activated, nothing works. Do I need to change something else too?

cat /tmp/rules.debug | grep USER

pass in quick on $lan from any to any keep state  label "USER_RULE: Default LAN -> any"
pass in quick on $wan from any to any keep state  label "USER_RULE"

Günther

trendchiller

Hi !

so did you read the tutorial ? ;-)

http://pfsense.trendchiller.com/transparent_firewall.pdf

but, your steps were allright, should be working, perhaps the behaviour with the bridge has changed…
i had my bridge ip not changed and it worked... normally the bridge ip is the wan ip. I cannot test by now since i'm not running any bridge anymore atm.

setting both ips to the same can confuse bsd, but also worked a long time for me...

In a filtering bridge environment you have to pass all from LAN -> WAN and vice versa, then test if the traffic flows...
after that you should disallow or allow certain services and test again...

But read the tutorial, perhaps it helps you a bit more...
since theres no bridge cfg atm here... sorry...

prodius

Yep, I followed the tutorial.

I hope someone from the dev team can test/confirm my findings, because the information in the tutorial and forum is from a time ago and much has changed since then. If someone else with 1.0.1 running a filtered bridge has some input, feel free.

Worst problem atm is the filtered bridge mode. I can't get a single bit through with pass all filters on LAN and WAN. It's a bit frustrating right now  :-\

prodius

It's getting stranger by the hour.

I put the pfsense in filtered bridge with a pass all rule on WAN and LAN with logging on. I see things going through (I'm .143), but it seems it doesn't come back. My xmms playing a stream from the internet kept on playing… but I had to disable the filtered bridge to post this message.

v Dec 15 14:09:01 LAN 192.168.1.143:42672 192.168.1.90:22 TCP
(replaced green icon with "v")

Did some tests with ssh to a server on the other side of the bridge. Without filtering bridge I see a normal tcpdump, with I see this (and only this):
15:09:54.050537 arp who-has 192.168.1.90 tell 192.168.1.143

I'm taking the firewall back home to test it in a different enverinment.

prodius

I get a filtered bridge working when I replace the content of /tmp/rules.debug with

pass in  quick on fxp1 all
pass out quick on fxp1 all
pass in  on fxp0 all
pass out on fxp0 all

It seems that something is wrong with the generated rules.

update, yes, found something:

nat on $wan from 192.168.1.0/24 to any -> (fxp0)
in the FTP PROXY part of rules.debug.

Found the solution in the NAT section - outbound, here you have advanced nat. Check this and remove the NAT rule below.

I'm glad I found it.