(presuming previous copy was silently dropped. Apologies if this is a
repeat.)
tl;dr: Traffic from the FW itself (e.g. checks for updates) doesn't make
it through the bridge unless I turn off the firewall function
completely. Disabling all "block" rules in the interface does not have
the same effect - traffic from the FW host still fails.
The long story: I am attempting to set up a bridging firewall (which
will eventually be joined by a friend using CARP & STP but that's a
future thing and not relevant to this problem).
I am using pfSense 2.3.1-RELEASE-p5. Per many, many posts on setting up
transparent/bridging/bump-on-the-wire firewalls with pfSense,
net.link.bridge.pfil_bridge is set to 1.
Background: (attached graphic shows this better than words can).
FW A has 4 NICs:
LAN (em0) - "management" port at A.B.C.104
SYNC (em1) - "CARP" at XX.YY.ZZ.104
INT (igb1) & EXT (igb0) - "bridge0", no assigned IP addresses
A.B.C.0/24 is a routable network. XX.YY.ZZ.0/24 is RFC1918. There is no
NAT anywhere. Network numbers and gateway addresses are assigned by
central IT and can't be changed.
I expect traffic from FW A itself to go out the LAN port then cross over
INT -> EXT through the firewall before exiting the gateway at A.B.C.100.
Return traffic should obviously return via the reverse of that. I do not
want to the LAN connection to be Internet-facing for what should be
fairly obvious reasons.
What I am seeing, however, is massive traffic (up to 500Mb/s) leaving
LAN and showing up on INT but not going anywhere. This is very visible
on the dashboard traffic graphs.
When I go into System -> Advanced -> Firewall & NAT and click "Disable
all packet filtering" traffic from FW A actually makes it out to the
gateway. When I re-enable packet filtering but temporarily disable all
"block" rules on all interfaces ... the problem doesn't go away.
I have a very simple set of rules in place for testing/debugging.
Basically, don't let anyone in, let everyone out. These obviously won't
be the rules for production.
Floating - no rules
SYNC - block bogon networks
allow everything else
LAN - Anti-Lockout Rule (this will go away later)
Block bogon networks
allow source * to destination * (this will get much tighter later)
EXT - block bogon networks
block source * to destination *
INT - block bogon networks
allow source * to destination *
netstat -in on the firewall shows the correct default route.
Traffic from test hosts placed on the protected network flows exactly as
expected - outbound works, inbound is blocked.
Setting net.link.bridge.pfil_bridge to 0 doesn't appear to change
anything. The firewall still behaves exactly as before (blocking what I
expect it to block, passing what I expect it to pass, and still broken
when it comes to the FW's own traffic.) I'm leaving it set to 1 since
that seems to be a common directive.
Setting net.link.bridge.pfil_local_phys to 0 or 1 did not change anything.
Setting net.link.bridge.ipfw to 1 lets all traffic flow freely (as in,
absolutely no firewall function). While this does "fix" the problem in
that traffic from the FW host does flow correctly it isn't exactly a
desirable fix.
Does anyone have any suggestions of the obvious thing I'm missing here?
thanks,
nomad
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
