LAN to WAN L2 bridge blocking traffic for non-native WAN subnet



  • I am having a difficulty that makes no sense with a bridged pfSense 2.2.2 setup. I can move traffic back and forth through the bridge on any IP belonging to pfSense's own assigned WAN subnet, but nothing outside of it, and that's confusing. I've done this a million times on SonicWALLs, but it won't work with pfSense for some reason. It's almost as though pfSense is trying to route, not perform a L2 bridge.

    Let me explain a little bit of what I've done…

    I have two WAN subnets I need to pass through pfSense to hosts on the other side. I'm attempting to create a filtering L2 bridge that will allow me to control traffic for the two subnets. It looks something like this:

    216.x.y.z and 97.x.y.z <- WAN Interface -> pfSense L2 Bridge <- LAN Interface -> 216.x.y.z and 97.x.y.z hosts

    I have an ESXi 6.0 host. On that host I have two vSwitches on my ESXi host - one for the public facing side, and one for the internal facing side. My pfSense WAN interface is connected to the public facing vswitch, and the pfSense LAN interface is connected to the internal facing vswitch. Both switches have promiscuous mode enabled.

    Here's what I did (more than once, I might add, thinking I was doing something wrong):

    • Fresh install of pfSense 2.2.2 in ESXi 6.0 virtual machine
    • Walk through setup wizard
    • Set WAN IP to 97.x.y.242/28 with a gateway of 97.x.y.254
    • Set LAN IP to 192.168.1.1/24
    • Log into WebConfiguator
    • Go to Firewall->Rules, add rule to allow management from WAN and allow ping from WAN
    • Log in to WebConfiguator from WAN
    • Go to Firewall->NAT->Outbound and select Disable Outbound NAT Rule Generation
    • Go to Services->DHCP Server->LAN and disable DHCP scope
    • Go to Interfaces->LAN and set IPv4 Configuration Type to None. Do the same for IPv6
    • Go to Interfaces->(Assign)->Bridges, create a new bridge with only the WAN interface in it
    • Go to Interfaces->(Assign)->Add Interface out of my new bridge interface
    • Go to Interfaces->OPT1 and enable the interface
    • Go to Interfaces->(Assign)->Bridges, add LAN to my previously created bridge
    • Go to System->Advanced->System Tunables->net.link.bridge.pfil_bridge and set it to 1

    I can now ping my WAN IP from both of my physical interfaces, thus I'm in bridge mode.

    Let's configure the firewall rules for my 97.x.y.z/28 subnet...

    • Go to Firewall->Aliases, create an alias for my 97.x.y.253 test host
    • Go to Firewall->Rules->WAN, create rule to allow ICMP Echo Request to my test host
    • Ping my test host from an outside machine - success
    • Ping my outside machine from my test host - success

    All looks good.

    Now, let's try a host on my 216.x.y.z/28 subnet and see if that works...

    • Go to Firewall->Aliases, create an alias for my 216.x.y.173 test host
    • Go to Firewall->Rules->WAN, create rule to allow ICMP Echo Request to my test host
    • Ping my test host from an outside machine - fail
    • Ping my outside machine from my test host - fail

    No go. Oh! Fix the LAN rules to allow anything, rather than just the LAN net. Nope. Still no go.

    I even added a firewall rule on the LAN side to explicitly allow my 216.x.y.173 host, but that didn't help (I didn't really expect it to, but it was worth a shot).

    I can see the two 216.x.y.z hosts trying to talk to each other in the Diagnostics->States, but the traffic isn't moving through the pfSense bridge for some reason.

    Isn't this a layer 2 bridge? Those don't care about IPs! Why is this not working?

    And so, here I am, confused. I can't figure out if it's something I did, or just something that needs addressing in the pfSense code.

    One thing that did cross my mind is that I don't see any of the 216.x.y.z IPs in pfSense's ARP table. I see that the PCs on each side of the bridge can see the MAC of the PC on the other side, but pfSense seems be ignoring the ARPs. It does list the 97.x.y.z hosts, however. Maybe this is the issue?

    Any ideas would be appreciated.

    Thanks!


  • Banned

    What WAN/LAN rules? Your LAN is (properly) set to None/None. How could any FW rules possibly match anything like "LAN net" there?

    • net.link.bridge.pfil_member should be set to 0
    • and all your rules would go to the bridged interface ONLY.


  • @doktornotor:

    What WAN/LAN rules? Your LAN is (properly) set to None/None. How could any FW rules possibly match anything like "LAN net" there?

    • net.link.bridge.pfil_member should be set to 0
    • and all your rules would go to the bridged interface ONLY.

    I agree on the "LAN Net" rule. It was left over from the initial install, before I disabled all the NAT stuff.

    I set net.link.bridge.pfil_member to 0, then deleted all of my firewall rules for LAN, WAN, and my Bridge (which was already empty), so I could move my rules to the Bridge interface. My rules to internal hosts on both of my WAN subnets worked as expected now - thank you! I would have been doing trial and error forever until I just happened to stumble onto the net.link.bride.pfil_member setting and putting my rules on the bridge interface eventually.

    The only rule that needed to be set on the WAN interface is the allow for ICMP Echo Request, so I can ping the WAN address of pfSense. All of the rest of my host-specific rules are happy on the Bridge interface.

    So happy! Thank you!



  • One more quick question, if you don't mind.

    I can't seem to get to the WebConfigurator interface from the hosts on the private side of the bridge no matter what rule I set. I can from the public side with my HTTPS allow rule on the WAN interface, but the same rule on the bridge interface doesn't seem to do the trick. I'm missing something, it seems.

    Edit: I figured it out. It needs to be on the LAN interface for my pfSense's native WAN subnet, and on the WAN for my internal hosts that are on my non-native WAN subnet (which will bounce out to the ISP's router, then back in via the WAN interface).  :)