Bug #6760
closed
Editing WAN bridge interface breaks routing until reboot
0%
Description
Say you have a setup like this:
Internet <=> [WAN: public] Firewall [LAN: 10.20.30.1/24] <=> [WAN bridge: 10.20.30.254/24] pfSense (routing only) [LAN/WLAN/OPTs/...] <=> other computers
E.g.
- take an Alix box and put it behind some other firewall (pfSense or anything, does not matter)
- disable firewalling (routing only) on pfSense
- add two/more of the vrX interfaces into a bridge
- assign the bridge to WAN and configure it (static IPv4)
- connect the pfSense WAN to LAN-like interface on the upstream firewall
- configure other interfaces on pfSense and make sure that everything works as expected
Now, even if you change just the bridge description, after saving the configuration the Internet connectivity is lost. Things like pinging 8.8.8.8 from the pfSense box or hosts behind it fail with errno = 65 (No route to host). You cannot connect from Internet any more. You can still connect to the pfSense box from the firewall in front or from other (local) LAN hosts. Routing/Internet connectivity only gets fixed after reboot.
Updated by Jim Pingle about 9 years ago
What do "netstat -rn" and "ifconfig -a" look like before and after? Any notable differences?
Updated by Kill Bill about 9 years ago
Jim Pingle wrote:
What do "netstat -rn" and "ifconfig -a" look like before and after? Any notable differences?
Well yes:
1/ The default route is gone.
# diff -Nau /tmp/netstat_working.txt /tmp/netstat_broken.txt --- /tmp/netstat_working.txt 2016-09-04 13:28:56.537548000 +0200 +++ /tmp/netstat_broken.txt 2016-09-04 13:31:19.587979000 +0200 @@ -2,7 +2,6 @@ Internet: Destination Gateway Flags Netif Expire -default 10.20.31.1 UGS bridge0 10.20.31.0/24 link#10 U bridge0 10.20.31.254 link#10 UHS lo0 10.20.33.0/24 link#12 U bridge1 @@ -11,7 +10,6 @@ Internet6: Destination Gateway Flags Netif Expire -default 2001:470:dead:beef::1 UGS bridge0 ::1 link#8 UH lo0 2001:470:dead:beef::/64 link#10 U bridge0 2001:470:dead:beef::254 link#10 UHS lo0
2/ The bridge MAC address changes and the path cost gets bumped to ridiculous values:
# diff -Nau /tmp/ifconfig_working.txt /tmp/ifconfig_broken.txt
--- /tmp/ifconfig_working.txt 2016-09-04 13:29:11.212071000 +0200
+++ /tmp/ifconfig_broken.txt 2016-09-04 13:31:29.169965000 +0200
@@ -36,18 +36,6 @@
-bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
- ether 02:b2:90:f6:ea:00
- inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255
- inet6 2001:470:dead:beef::254 prefixlen 64
- nd6 options=1<PERFORMNUD>
- id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
- maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
- root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
- member: vr0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
- ifmaxaddr 0 port 1 priority 128 path cost 55
- member: vr1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
- ifmaxaddr 0 port 2 priority 128 path cost 55
ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 66:02:b4:7e:66:ea
inet6 fe80::6402:b4ff:fe7e:66ea%ath0_wlan0 prefixlen 64 scopeid 0x9
@@ -71,3 +59,15 @@
+bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
+ ether 02:a0:aa:f2:78:00
+ inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255
+ inet6 2001:470:dead:beef::254 prefixlen 64
+ nd6 options=1<PERFORMNUD>
+ id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
+ maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
+ root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
+ member: vr0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
+ ifmaxaddr 0 port 1 priority 128 path cost 200000
+ member: vr1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
+ ifmaxaddr 0 port 2 priority 128 path cost 200000
Updated by Jay Janssen almost 9 years ago
I am having a similar issue whenever my WAN link goes down and then recovers. Basically I lose some kind of routing and it won't recover without a reboot of pfsense.
I have confirmed that DNS actually starts working again, but hitting web ports (port 80, etc) on the internet won't go through. This may or may not be the same issue, but the next time it happens, I'll try to gather the output requested above and submit here if it seems similar.
Updated by
Updated by Jim Pingle almost 9 years ago
- Status changed from New to Not a Bug
- Assignee deleted (
Jim Pingle)
I can't reproduce this here on 2.3.2_1. I can make edits to the bridge and the MAC stays the same and I can still route out from the firewall and from a client on the bridge. The default route is still there, too.
One thing I did notice in your original description is that the network config is invalid. You can't have LAN as 10.20.30.1/24 and WAN as 10.20.30.254/24 -- two interfaces in the same subnet will mess with the link routes and could cause problems like you see.
Only other notable difference in the test I ran is that I used an APU, not ALIX, as support for the ALIX is going away with 2.4. There is a chance it's an issue specific to the behavior of the vr(4) interface.
So either it's been fixed, it only applies to ALIX, or there is an issue with the attempted configuration.
Updated by Kill Bill almost 9 years ago
Jim Pingle wrote:
One thing I did notice in your original description is that the network config is invalid. You can't have LAN as 10.20.30.1/24 and WAN as 10.20.30.254/24 -- two interfaces in the same subnet will mess with the link routes and could cause problems like you see.
Oh well... The 10.20.30.254/24 is another box, with pfSense "WAN" connected to the LAN port of the firewall in front of it...