From owner-freebsd-pf@FreeBSD.ORG Tue Jul 15 11:36:38 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 84176AD7 for ; Tue, 15 Jul 2014 11:36:38 +0000 (UTC) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "vps.rulingia.com", Issuer "CAcert Class 3 Root" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 18D292C0B for ; Tue, 15 Jul 2014 11:36:37 +0000 (UTC) Received: from server.rulingia.com (c220-239-242-83.belrs5.nsw.optusnet.com.au [220.239.242.83]) by vps.rulingia.com (8.14.7/8.14.7) with ESMTP id s6FBFt0Q011044 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 15 Jul 2014 21:16:00 +1000 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.9/8.14.9) with ESMTP id s6FBFo22077551 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 15 Jul 2014 21:15:50 +1000 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.9/8.14.9/Submit) id s6FBFoEL077550 for freebsd-pf@freebsd.org; Tue, 15 Jul 2014 21:15:50 +1000 (EST) (envelope-from peter) Date: Tue, 15 Jul 2014 21:15:50 +1000 From: Peter Jeremy To: freebsd-pf@freebsd.org Subject: Filtering bridge(4) traffic Message-ID: <20140715111550.GC32968@server.rulingia.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2014 11:36:38 -0000 --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm successfully using pf(4) on FreeBSD 9.2 as a firewall and would like to also use the box as an AP. At this stage I'm only using IPv4. As originally configured, I have re0 connected to the Internet, em0 connected to my internal LAN and a couple of jails attached to loopback interfaces. All the interfaces are interconnected using nat/rdr and filter rules. I'm trying to add an AP (run0/wlan0), bridged with em0, to replace an existing standalone AP. At this point, I don't need to filter packets between wlan0 and em0. I've successfully migrated my rules from em0 to bridge0 and can correctly block/pass traffic between the firewall (and Internet) and internal devices via either em0 or wlan0. New connections between em0 and wlan0 also work but existing connections (eg clients failing over between wired and wireless) fail - apparently due to missing state table entries. I don't understand why packets between wlan0 and em0 are being filtered and would appreciate any insights. Relevant sysctl parameters (all default): net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 Extract from pf.conf: set skip on lo0 scrub in all nat/rdr rules... block out log all block in log all block in quick proto udp from any to any port { netbios-ns, netbios-dgm, wh= o, ldap, 1900, 3902, mdns, 9956 } pass in quick on em0 tag em0 pass in quick on wlan0 tag wlan0 pass out on wlan0 all tagged em0 pass out on em0 all tagged wlan0 pass out on bridge0 all tagged em0 pass out on bridge0 all tagged wlan0 other filtering rules... --=20 Peter Jeremy --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJTxQ1mXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0OooP/AwJsMfs10prBt6a4cOw+KEU NDtP+c55BjlRLGI1+aBVrZ8Wq5cxJa5MpMHqNc9D1AvHyDYCeAKGzpAJ92mWEZTH sUo6lDfcQ3kTCZzuqop3VLPV92Z07BCETfQLWxz6Lc9Wx0tdd2m8MeRZoTVtu1Uc 1hLIJ5Sz97Ua4I08sPAYiHeg9hW4ctGBMEKNDUgpLY36BpNP6s/vJNAQh5UCwSjZ VShjRVk69yZWLceFoLLPEU36YfDzae5VTe7xKQiY4mahqHhG1uNU5gvpqd2FGHVb SvCjTAuhX0coMddFp/wW4jnh30YwdZ1NAnUXfHXBqcRFRQIiDPz3CvRwhdo0GGRE b1SK1PnaGHRq+t1burCic16gnSbj5gkktL2p3+oQqIYD1DE/1kNDnzfztNTJpOqa DVWiYjAR1qsUFaA9YfXYq26usoms2skZFNzlXEm8ImdOGLC49v7ulhPxZY3XIBKd 1NmIlCqjQzWJlXN2X53AsE4O/ovbMV3zgfqhiPhdT1REjoLXKdRUwkR+QsS4PFJw xbjtprO7nSkiYUifeZILbOpWPWv6xyGO21b39nQluzN79CKvEZsZ1UbkFrv1zX4a QpP+hFeEcKyzhMGdl/54lfIuP16owF5sBks+XgJlghhzjhOq3n4ohqPMTadoqS1Z 0T2xoL0eyGLNoYiEeGfw =G4Kh -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V--