Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Jul 2014 21:15:50 +1000
From:      Peter Jeremy <peter@rulingia.com>
To:        freebsd-pf@freebsd.org
Subject:   Filtering bridge(4) traffic
Message-ID:  <20140715111550.GC32968@server.rulingia.com>

next in thread | raw e-mail | index | archive | help

--xHFwDpU9dbj6ez1V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I'm successfully using pf(4) on FreeBSD 9.2 as a firewall and would like to
also use the box as an AP.  At this stage I'm only using IPv4.

As originally configured, I have re0 connected to the Internet, em0
connected to my internal LAN and a couple of jails attached to loopback
interfaces.  All the interfaces are interconnected using nat/rdr and filter
rules.

I'm trying to add an AP (run0/wlan0), bridged with em0, to replace an
existing standalone AP.  At this point, I don't need to filter packets
between wlan0 and em0.

I've successfully migrated my rules from em0 to bridge0 and can correctly
block/pass traffic between the firewall (and Internet) and internal devices
via either em0 or wlan0.  New connections between em0 and wlan0 also work
but existing connections (eg clients failing over between wired and
wireless) fail - apparently due to missing state table entries.

I don't understand why packets between wlan0 and em0 are being filtered and
would appreciate any insights.

Relevant sysctl parameters (all default):
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1

Extract from pf.conf:

set skip on lo0
scrub in all
nat/rdr rules...
block out log all
block in log all
block in quick proto udp from any to any port { netbios-ns, netbios-dgm, wh=
o, ldap, 1900, 3902, mdns, 9956 }
pass in quick on em0 tag em0
pass in quick on wlan0 tag wlan0
pass out on wlan0 all tagged em0
pass out on em0 all tagged wlan0
pass out on bridge0 all tagged em0
pass out on bridge0 all tagged wlan0
other filtering rules...

--=20
Peter Jeremy

--xHFwDpU9dbj6ez1V
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJTxQ1mXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux
NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0OooP/AwJsMfs10prBt6a4cOw+KEU
NDtP+c55BjlRLGI1+aBVrZ8Wq5cxJa5MpMHqNc9D1AvHyDYCeAKGzpAJ92mWEZTH
sUo6lDfcQ3kTCZzuqop3VLPV92Z07BCETfQLWxz6Lc9Wx0tdd2m8MeRZoTVtu1Uc
1hLIJ5Sz97Ua4I08sPAYiHeg9hW4ctGBMEKNDUgpLY36BpNP6s/vJNAQh5UCwSjZ
VShjRVk69yZWLceFoLLPEU36YfDzae5VTe7xKQiY4mahqHhG1uNU5gvpqd2FGHVb
SvCjTAuhX0coMddFp/wW4jnh30YwdZ1NAnUXfHXBqcRFRQIiDPz3CvRwhdo0GGRE
b1SK1PnaGHRq+t1burCic16gnSbj5gkktL2p3+oQqIYD1DE/1kNDnzfztNTJpOqa
DVWiYjAR1qsUFaA9YfXYq26usoms2skZFNzlXEm8ImdOGLC49v7ulhPxZY3XIBKd
1NmIlCqjQzWJlXN2X53AsE4O/ovbMV3zgfqhiPhdT1REjoLXKdRUwkR+QsS4PFJw
xbjtprO7nSkiYUifeZILbOpWPWv6xyGO21b39nQluzN79CKvEZsZ1UbkFrv1zX4a
QpP+hFeEcKyzhMGdl/54lfIuP16owF5sBks+XgJlghhzjhOq3n4ohqPMTadoqS1Z
0T2xoL0eyGLNoYiEeGfw
=G4Kh
-----END PGP SIGNATURE-----

--xHFwDpU9dbj6ez1V--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140715111550.GC32968>