Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    System Tunables and Rules

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eshield
      last edited by

      Hello, guys.

      Who can explain to me how (net.link.bridge.pfil_member, net.link.bridge.pfil_bridge) are affecting filtration and do they have any affect at all? I've been playing with these tunables for a while and …. seems I can't figure how it works in pfSense!

      FBSD man says that (0, 0) disables any filtering on the bridge and member interfaces but, in fact, it's not! At least in pfSense. Or, maybe, I'm missing something and these tunables has nothing to do with rules?

      Currently, tunables are set to (0, 1). I've removed all rules from member interfaces and added them to the bridge. "Log packets matched from the default block rules put in the ruleset" is on:
      Multicasts are being blocked despite of net.link.bridge.pfil_member is set ot 0!

      Damn, last few weeks I've been trying to create totally transparent distributed network based on the openvpn connectivity. Connectivity between sites should as native as it can be for any PC from any network. That means broadcasts and multicasts should be working as swiss clock! "Allow any" rules on bridge+members are doing it's job well but I want to use minimal set of rules as possible …

      1 Reply Last reply Reply Quote 0
      • H Offline
        Harvy66
        last edited by

        I know I had to change my VPN type to a TAP or something in order to get broadcasts to work. I forget exactly, but look into that general subject area.

        1 Reply Last reply Reply Quote 0
        • E Offline
          eshield
          last edited by

          @Harvy66:

          I know I had to change my VPN type to a TAP or something in order to get broadcasts to work. I forget exactly, but look into that general subject area.

          Yeah, only TAP in such cfg. My current cfg is totally L2 based. That means there even no IP addresses on ovpn interfaces at server and clients. As I wrote above with "Pass any" rules on bridge+ovpn ifaces everything is working as expected, but counts as double filtering … and that double filtering bothers me.

          The question is why tunables aren't working as expected or my expectations are wrong ...

          1 Reply Last reply Reply Quote 0
          • dotdashD Offline
            dotdash
            last edited by

            IIRC, you have to either filter on the interfaces or the bridge itself. By default it filters on the interfaces, if you assign the bridge as an interface, and want to filter on that and not the member interfaces you need to change the pfil_bridge to 1 and pfil_member to 0.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.