Bug #6760: Editing WAN bridge interface breaks routing until reboot - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - Resolved/Closed
2.8.1 - All Open Bugs
2.8.1 - All Open Features
2.8.1 - All Open Issues
2.8.1 - All Open Regressions
2.8.1 - Feedback
2.8.1 - Needs Attention
2.8.1 - New/Confirmed
2.8.1 - Pull Requests
2.8.1 - Regressions affecting 2.8.0
2.8.1 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.07 Plus - All Closed Issues
25.07 Target - All Closed Issues
25.11 Plus - All Closed Issues
25.11 Plus - All Open Issues
25.11 Plus - Feedback Issues
25.11 Plus - Needs Attention/Work
25.11 Plus - New/Confirmed/In Progress Issues
25.11 Plus - Pull Request Review
25.11 Plus - Waiting on Merge
25.11 Target - All Closed Issues
25.11 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #6760

closed

Editing WAN bridge interface breaks routing until reboot

Added by Kill Bill about 9 years ago. Updated almost 9 years ago.

Status:

Not a Bug

Priority:

Normal

Assignee:

Category:

Routing

Target version:

Start date:

09/03/2016

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3.x

Affected Architecture:

All

Description

Say you have a setup like this:

Internet <=> [WAN: public] Firewall [LAN: 10.20.30.1/24] <=> [WAN bridge: 10.20.30.254/24] pfSense (routing only) [LAN/WLAN/OPTs/...] <=> other computers

E.g.
- take an Alix box and put it behind some other firewall (pfSense or anything, does not matter)
- disable firewalling (routing only) on pfSense
- add two/more of the vrX interfaces into a bridge
- assign the bridge to WAN and configure it (static IPv4)
- connect the pfSense WAN to LAN-like interface on the upstream firewall
- configure other interfaces on pfSense and make sure that everything works as expected

Now, even if you change just the bridge description, after saving the configuration the Internet connectivity is lost. Things like pinging 8.8.8.8 from the pfSense box or hosts behind it fail with errno = 65 (No route to host). You cannot connect from Internet any more. You can still connect to the pfSense box from the firewall in front or from other (local) LAN hosts. Routing/Internet connectivity only gets fixed after reboot.

History
Notes
Property changes

Actions

Copy link

Updated by Jim Pingle about 9 years ago

What do "netstat -rn" and "ifconfig -a" look like before and after? Any notable differences?

Actions

Copy link

Updated by Kill Bill about 9 years ago

Jim Pingle wrote:

What do "netstat -rn" and "ifconfig -a" look like before and after? Any notable differences?

Well yes:

1/ The default route is gone.

# diff -Nau /tmp/netstat_working.txt /tmp/netstat_broken.txt
--- /tmp/netstat_working.txt    2016-09-04 13:28:56.537548000 +0200
+++ /tmp/netstat_broken.txt     2016-09-04 13:31:19.587979000 +0200
@@ -2,7 +2,6 @@

 Internet:
 Destination        Gateway            Flags      Netif Expire
-default            10.20.31.1         UGS     bridge0
 10.20.31.0/24      link#10            U       bridge0
 10.20.31.254       link#10            UHS         lo0
 10.20.33.0/24      link#12            U       bridge1
@@ -11,7 +10,6 @@

 Internet6:
 Destination                       Gateway                       Flags      Netif Expire
-default                           2001:470:dead:beef::1           UGS     bridge0
 ::1                               link#8                        UH          lo0
 2001:470:dead:beef::/64             link#10                       U       bridge0
 2001:470:dead:beef::254             link#10                       UHS         lo0

2/ The bridge MAC address changes and the path cost gets bumped to ridiculous values:

# diff -Nau /tmp/ifconfig_working.txt /tmp/ifconfig_broken.txt
--- /tmp/ifconfig_working.txt   2016-09-04 13:29:11.212071000 +0200
+++ /tmp/ifconfig_broken.txt    2016-09-04 13:31:29.169965000 +0200
@@ -36,18 +36,6 @@
-bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
-       ether 02:b2:90:f6:ea:00
-       inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255
-       inet6 2001:470:dead:beef::254 prefixlen 64
-       nd6 options=1<PERFORMNUD>
-       id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
-       maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
-       root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
-       member: vr0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
-               ifmaxaddr 0 port 1 priority 128 path cost 55
-       member: vr1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
-               ifmaxaddr 0 port 2 priority 128 path cost 55
 ath0_wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 66:02:b4:7e:66:ea
        inet6 fe80::6402:b4ff:fe7e:66ea%ath0_wlan0 prefixlen 64 scopeid 0x9
@@ -71,3 +59,15 @@
+bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
+       ether 02:a0:aa:f2:78:00
+       inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255
+       inet6 2001:470:dead:beef::254 prefixlen 64
+       nd6 options=1<PERFORMNUD>
+       id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
+       maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
+       root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
+       member: vr0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
+               ifmaxaddr 0 port 1 priority 128 path cost 200000
+       member: vr1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
+               ifmaxaddr 0 port 2 priority 128 path cost 200000

Actions

Copy link

Updated by Jay Janssen almost 9 years ago

I am having a similar issue whenever my WAN link goes down and then recovers. Basically I lose some kind of routing and it won't recover without a reboot of pfsense.

I have confirmed that DNS actually starts working again, but hitting web ports (port 80, etc) on the internet won't go through. This may or may not be the same issue, but the next time it happens, I'll try to gather the output requested above and submit here if it seems similar.

Actions

Copy link

Updated by Jim Thompson almost 9 years ago

Assignee set to Jim Pingle

Actions

Copy link

Updated by Jim Pingle almost 9 years ago

Status changed from New to Not a Bug
Assignee deleted (~~Jim Pingle~~)

I can't reproduce this here on 2.3.2_1. I can make edits to the bridge and the MAC stays the same and I can still route out from the firewall and from a client on the bridge. The default route is still there, too.

One thing I did notice in your original description is that the network config is invalid. You can't have LAN as 10.20.30.1/24 and WAN as 10.20.30.254/24 -- two interfaces in the same subnet will mess with the link routes and could cause problems like you see.

Only other notable difference in the test I ran is that I used an APU, not ALIX, as support for the ALIX is going away with 2.4. There is a chance it's an issue specific to the behavior of the vr(4) interface.

So either it's been fixed, it only applies to ALIX, or there is an issue with the attempted configuration.

Actions

Copy link

Updated by Kill Bill almost 9 years ago

Jim Pingle wrote:

One thing I did notice in your original description is that the network config is invalid. You can't have LAN as 10.20.30.1/24 and WAN as 10.20.30.254/24 -- two interfaces in the same subnet will mess with the link routes and could cause problems like you see.

Oh well... The 10.20.30.254/24 is another box, with pfSense "WAN" connected to the LAN port of the firewall in front of it...

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #6760

Editing WAN bridge interface breaks routing until reboot

Updated by Jim Pingle about 9 years ago

Updated by Kill Bill about 9 years ago

Updated by Jay Janssen almost 9 years ago

Updated by Jim Thompson almost 9 years ago

Updated by Jim Pingle almost 9 years ago

Updated by Kill Bill almost 9 years ago