Project

General

Profile

Actions
Copy link

Bug #15366

open

Ethernet rules are not blocking the ARP inside the bridge

Added by Lev Prokofev 9 months ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Configuration:

1)IX2 and DMZ interfaces are bridged (192.168.168.0/24)
2)Filtering enabled on members of the bridge
net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=0
3)The ethernet rules are set to not pass the ARP from any to any, of the members of the bridge.

Result:

PC1 (192.168.168.12) requested the ARP for PC2 (192.168.168.10) and received the reply, but didn't receive an ARP reply from the gateway, so the rules cut traffic from the interface of pfSense but not inside the bridge broadcast.

tested on

23.09.1-RELEASE (amd64)
built on Wed Dec 20 21:27:00 MSK 2023
FreeBSD 14.0-CURRENT

Files

Download all files
clipboard-202403281317-ukct1.png (29.2 KB) clipboard-202403281317-ukct1.png Lev Prokofev, 03/28/2024 09:17 AM
clipboard-202403281323-c06p2.png (354 KB) clipboard-202403281323-c06p2.png Lev Prokofev, 03/28/2024 09:23 AM
Actions
Copy link
 #1

Updated by Lev Prokofev 9 months ago

The same behavior if you filter on the bridge

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1

and set the rule on the bridge interface accordingly

Actions
Copy link
 #2

Updated by Kris Phillips 8 months ago

With the new strict interface filtering in 24.03, has this been re-tested and confirmed to still exist?

Actions
Copy link
 #3

Updated by Lev Prokofev 7 months ago

I retested this with 24.03 with the Interface Bound States enabled, and the result was exactly the same.

Actions
Copy link

Also available in: Atom PDF