(presuming previous copy was silently dropped. Apologies if this is a repeat.)
tl;dr: Traffic from the FW itself (e.g. checks for updates) doesn't make it through the bridge unless I turn off the firewall function completely. Disabling all "block" rules in the interface does not have the same effect - traffic from the FW host still fails. The long story: I am attempting to set up a bridging firewall (which will eventually be joined by a friend using CARP & STP but that's a future thing and not relevant to this problem). I am using pfSense 2.3.1-RELEASE-p5. Per many, many posts on setting up transparent/bridging/bump-on-the-wire firewalls with pfSense, net.link.bridge.pfil_bridge is set to 1. Background: (attached graphic shows this better than words can). FW A has 4 NICs: LAN (em0) - "management" port at A.B.C.104 SYNC (em1) - "CARP" at XX.YY.ZZ.104 INT (igb1) & EXT (igb0) - "bridge0", no assigned IP addresses A.B.C.0/24 is a routable network. XX.YY.ZZ.0/24 is RFC1918. There is no NAT anywhere. Network numbers and gateway addresses are assigned by central IT and can't be changed. I expect traffic from FW A itself to go out the LAN port then cross over INT -> EXT through the firewall before exiting the gateway at A.B.C.100. Return traffic should obviously return via the reverse of that. I do not want to the LAN connection to be Internet-facing for what should be fairly obvious reasons. What I am seeing, however, is massive traffic (up to 500Mb/s) leaving LAN and showing up on INT but not going anywhere. This is very visible on the dashboard traffic graphs. When I go into System -> Advanced -> Firewall & NAT and click "Disable all packet filtering" traffic from FW A actually makes it out to the gateway. When I re-enable packet filtering but temporarily disable all "block" rules on all interfaces ... the problem doesn't go away. I have a very simple set of rules in place for testing/debugging. Basically, don't let anyone in, let everyone out. These obviously won't be the rules for production. Floating - no rules SYNC - block bogon networks allow everything else LAN - Anti-Lockout Rule (this will go away later) Block bogon networks allow source * to destination * (this will get much tighter later) EXT - block bogon networks block source * to destination * INT - block bogon networks allow source * to destination * netstat -in on the firewall shows the correct default route. Traffic from test hosts placed on the protected network flows exactly as expected - outbound works, inbound is blocked. Setting net.link.bridge.pfil_bridge to 0 doesn't appear to change anything. The firewall still behaves exactly as before (blocking what I expect it to block, passing what I expect it to pass, and still broken when it comes to the FW's own traffic.) I'm leaving it set to 1 since that seems to be a common directive. Setting net.link.bridge.pfil_local_phys to 0 or 1 did not change anything. Setting net.link.bridge.ipfw to 1 lets all traffic flow freely (as in, absolutely no firewall function). While this does "fix" the problem in that traffic from the FW host does flow correctly it isn't exactly a desirable fix. Does anyone have any suggestions of the obvious thing I'm missing here? thanks, nomad _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold