pfSense » pfSense Plus

Please see photo. Also when a client has a static entry for the firewall on a secure side "Firewall's LAN" and client uses the Guest wifi for some reason, "Compex card(OTP1)" this client is now being activated with both interfaces and the DHCP servers activate on both server 192.168.1.1 and server 10.0.0.1. It shows both arp entries are activated. Before it separated them, only one arp entry would show, the broadcast domain is now combined on intra-interfaces, keep in mind both have different outbound NAT entries. It would only show one or the other based on what interface was used for that layer 2 address.

This could cause a new arp storm vulnerability. This use to separate the broadcast domain into two, one for each hardware interface.

Is VLAN hopping an issue here now?

KEA is in use.

Also you can see traffic on the experimental layer 2 firewall rules between the interfaces that is the main concern here in 23.09.05.

Last version 23.05.01 seen in the attached photo the firewall software would never allow intra interface traffic to occur at all, as it would never even attempt to establish any states for the 2 rules seen in photo.

Thanks this is a concern as layer2 traffic is now allowed between interfaces, this could also open up VLAN hopping vulnerabilities.

https://forum.netgate.com/topic/185443/example-of-layer-2-ethernet-firewall-rules

I was able to get it to work however the rule numbers never change so I do not think they got added when using address over subnet.

Before in 23.05.01 it listed interface and not subnet

This is what I mean by rule id I use it with my LED script. With the new rules when using them with wlan address they are not moving the rule list down for some reason it stays the same 110 it will normally increment and be 111 or 112 so on. Does use of address over subnet not work with 23.09.01 and if so the normal name was interface and not subnet.