From owner-freebsd-questions@freebsd.org Thu Apr 25 00:37:08 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BCF21585FAC for ; Thu, 25 Apr 2019 00:37:08 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E14D187DD2 for ; Thu, 25 Apr 2019 00:37:06 +0000 (UTC) (envelope-from lists.dan@gmail.com) Received: by mail-vs1-xe34.google.com with SMTP id f15so11481052vsk.9 for ; Wed, 24 Apr 2019 17:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Yakj6Lom6wB/6J2FDlCU8FYxSU+EZS6zFzrNPauzkUU=; b=CAIot0OorVlb0xMgwqsaRQaP9ULATUWG7IEhKqSJDfCJ4jYuyPfG/qLknFIaBz6leB kGTu7h99rD23+hCs+We/14EugD3Hw/Emqr0dWP50A3bL06kxbz/PK9hO2h2q5tjFmZY/ g8fN6MQEgJxBg2Ts97mUlTvks3yblclF91iHKo/OFQBRn3rFKBxdwLsclop0ZhYB3wCh sBB9GIxrizQXphu2ke3RFuI1j1IpK6eXUU+wbVkGVAaCr4cZe4pyl8a85DcASCz4PIrU XwOge0ve2kjUD5iJNr+VJkwu+QOn2NUmygwxuTr/rsEMDfaa88Vn0P2JAxpFgP8iJZTb IgUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Yakj6Lom6wB/6J2FDlCU8FYxSU+EZS6zFzrNPauzkUU=; b=BU9tysufNIXpQXfiD3qqRs3AeSjn6U4aYO02pAwM8wY3s/hNYOwLxxvSCOfeod97Mm g+tscfwydYrPjET8ua3ifpR5CcuNexlHUvcmOdGurOyBGOHCumh8qZYiDCjnwYq3sGVA ep94teHNZTLwMS0/i8+RD7yHkL4uBiZgc25UJOUo2JBHRMQEahOwgv1TMXNR/KWQcZn1 TNxIDBqhXmbDFtQV0gVWS3wf+c8zlxfV6PhV0QiRuS9lOsEnBLXdfNmHP+l1ara+6yTk Jt2eMCF1IIjHviW2aoOmYqXTdqxdzsW068WrP8x7V//6LA9a5VPC9hgBp1OqQHHp+bzE AaqQ== X-Gm-Message-State: APjAAAVwXA2ULJKXgVoSgufpoTaJMafRsUhOFMhA1E2vdiCr7hU4rzkd Vp7rmBWykVSruHFVgI2FsyDDcofFWx/suJwLI6hBuNeF X-Google-Smtp-Source: APXvYqwJ3bzIlGyMiSQNe+SlXGYGpGAhCkGu43E+AIXtNXwiKuHsXIFOTv0b5SgpjtyZZvJ9sTAGVH85LaHxzZx+F30= X-Received: by 2002:a05:6102:d9:: with SMTP id u25mr18792481vsp.162.1556152626100; Wed, 24 Apr 2019 17:37:06 -0700 (PDT) MIME-Version: 1.0 From: Dan Lists Date: Wed, 24 Apr 2019 19:36:54 -0500 Message-ID: Subject: Bridge not Forwarding ARP To: freebsd-questions X-Rspamd-Queue-Id: E14D187DD2 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=CAIot0Oo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of listsdan@gmail.com designates 2607:f8b0:4864:20::e34 as permitted sender) smtp.mailfrom=listsdan@gmail.com X-Spamd-Result: default: False [-6.98 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.93)[-0.927,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.04)[ip: (-9.74), ipnet: 2607:f8b0::/32(-3.13), asn: 15169(-2.26), country: US(-0.06)]; RCVD_IN_DNSWL_NONE(0.00)[4.3.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2019 00:37:08 -0000 I am trying to set up a bridged firewall in VMWare. I have a test setup like this: Internal --- vswitch --- (em2) Filter (em1) -- switch -- External The Internal, Filter, and External servers are all running FreeBSD 11.2. Filter has a bridge0 using members em1 (external side) and em2 (internal side). If I ping from Internal to External I see ARP Requests on em2, bridge0, and em1 of Filter. I see ARP Replies on em1 but they do not show up on bridge0. This is the same with or without a firewall running on Filter. If I ping from External to Internal then I see both ARP Requests and Replies on all interfaces and the ping works. I searched and read documentation and everything I can find says that ARP packets should be forwarded over the bridge. Why are the ARP Replies only being forwarded in one direction? I was looking at sysctl output and I found kern.features.security_mac but google search didn't turn up and documentation. I tried to change it (sysctl and loader.conf) but it seems hard coded to 1. I'm not really sure what to try. Any help would be appreciated.