Hi, we're struggling with that for quite a while, and I didn't find any hints in 4.8 or 4.9 about it being fixed.
The setup (simplified, there's also another firewall with pfsync, but that does not matter): One firewall with three interfaces. em0 is the local interface with an IP, em1 an interface in the same segment (call it segment1) and em2 connected to another segment (segment2). em1 and em2 are bonded to a bridge0. The firewall now filters the traffic between those two segments. All the filtering is usually done with the IP. The problem arises when I want to access segment2 from em0: No matter how I setup pf, I cannot make the outside access em0. No matter how the rules look like (or even both of them are active), it does not work. pass quick on em0 proto tcp from $computer1 to $computer2 port ssh keep state pass quick on em1 proto tcp from $computer1 to $computer2 port ssh keep state (em2 is not considered as it is pass quick) When looking at computers in segment2, I see they receive a SYN, but there's no SYN coming in on em0. The traffic is not filtered as you can see on the pflog-interface. When looking with tcpdump at computer1, I see that he receives several ICMP Redirects from the IP of em0 to the IP of em0 again until the packet is TTLed (this also happens to pings). I assume the problem is connected to the bridge, as the second firewall does not have these problems as long as its bridge is offline (the switch deactivates that port). So: Is this setup even possible or are there some OpenBSD-networking-interna that make this setup impossible? Or am I just missing some important point? Regards, Julian [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
