PfSense with a bridge as a LAN interface : traffic blocked between interfaces

bridgepfsense

I have a pfSense 2.0-BETA3 box as a home router. The box has 3 wired ETH ports and a wireless interface. It is configured as follow :

WAN : vr0
LAN : BRIDGE0
OPT1 : vr1
OPT2 : vr2
OPT3 : ath0 (wireless card)
BRIDGE0 : OPT1, OPT2, OPT3

There is a PC connected directly behind OPT1, and a switch connected behind OPT2 with multiple computers behind it. pfSense handles the NAT to connect to the internet and DHCP to all hosts.

I have a rule to allow all traffic from LAN to any.

Connecting from any of the interfaces behind pfSense can connect to the net with no problem. But connections from a PC behind OPT1 to a PC behind OPT2 fail. Using Wireshark, I can see that SYN packet are sent, but no response is received (or ICMP echo request, with no echo response).

What more should I configure to allow traffic between the different interfaces of the bridge ?

Thanks for your help !

Best Answer

I had exactly the same problem.

After adding firewall rules from the bridge member interfaces to the bridge network it seems to work.

Cheers Cidi

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

Firewall – How to route between interfaces in PFsense

Firewall rules are correct. Probably a host firewall, or wrong subnet mask on a host, or missing/wrong default gateway.

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Firewall – How to route between interfaces in PFsense

Related Topic