[INFO] How to filter between member interfaces on a bridge, and IPsec
Hi! I just wanted to share some experience I had recently:
I'm running 2.0.3 with an Atheros card as a hotspot. I wanted to:
- Have two separate SSIDs, one with full LAN access and another "public" one with internet access only
- Keep everything under control of my HSFC shaper
The only way (as far as I know) to shape multi-LAN properly is to create a bridge and apply the shaper to it. So I bridged my LAN, WLAN and cloned WLAN onto a BRIDGE (how to do that is out of scope of this topic). Applied the shaper to the bridge, and that's it.
Now, there are some system tunables you can play around with:
This has been talked around in the forum several times. Unless you want to filter between interfaces (as I wanted), set bridge to 1 and member to 0, and apply all firewall rules on BRIDGE.
In my case, I set member to 1 and bridge to 0 (as default) and expected to apply rules on the member interfaces instead of the bridge. It worked properly. I added the proper block rules on the Public_WLAN interface and it worked fine…
EXCEPT, traffic from Public_WLAN towards an IPsec established tunnel would still pass, no matter what rule I added. Even explicitely blocking all traffic on the interface still allowed this traffic to pass.
After learning all available options to if_bridge, there was one additional tunable I had to add to the mix: net.link.bridge.pfil_local_phys. Manually adding it and setting it to 1 allowed to filter towards the IPsec tunnel as well. I also enabled net.link.bridge.pfil_onlyip since I don't need anything outside IP, but that's another story.
Although I don't think it's a common scenario, I though it was worth sharing as I couldn't find it ever discussed on the forum. When reading the description of the tunable it's pretty clear why it helped me, though.