got a very strange issue with firewall in transparent bridge mode. Here is my setup:
There are four NICs in the pfsense box. All are Intel-based.
pfSense-Version: 1.2-BETA-1-TESTING-SNAPSHOT-05-29-2007 built on Sun Jun 3 12:44:39 EDT 2007
Network available: x.y.z.128/25
WAN: Static, x.y.z.130/25, Gateway: x.y.z.129
LAN: Static, Bridged with WAN, x.y.z.135/25
DMZ (Opt1): Static, 192.168.6.1/24
POOL (Opt2): Static, 192.168.7.1/24
I'll skip all details about DMZ and POOL, since it probably has no influence at all with respect to my problem.
Under Advanced, "Filtering Bridge" is enabled.
For LAN the dhcp server is enabled:
Subnet mask: 255.255.255.128
Available range: x.y.z.128 - x.y.z.255
.. hence it serves ips from that range.
Clients get IP adresses with the following details:
Verbindungsspezifisches DNS-Suffix: mydomain.local
Beschreibung. . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
IP-Adresse. . . . . . . . . . . . : x.y.z.181
Subnetzmaske. . . . . . . . . . . : 255.255.255.128
Standardgateway . . . . . . . . . : x.y.z.135
DHCP-Server . . . . . . . . . . . : x.y.z.135
DNS-Server. . . . . . . . . . . . : x.y.z.135
Lease erhalten. . . . . . . . . . : Donnerstag, 5. Juli 2007 15:21:28
Lease läuft ab. . . . . . . . . . : Donnerstag, 5. Juli 2007 17:21:28
Everything usually runs fine this way. But I just realized the following strange issue.
Usually with this setup I can ping from inside the following ips:
Internal bridged interface: x.y.z.135
External bridged interface: x.y.z.130
any external pingable adress, hence everything works fine.
From external I cannot ping x.y.z.130 - thats fine
I cannot ping x.y.z.135 - that's also fine.
Management interface is reachable from from inside by pointing to internal interface and is not reachable on any interface from the outside. - that's how it should be.
But now it comes: After a reboot (at least I think it happes only at reboot) the following situation MIGHT (non-deterministicall) be:
Internal: the same, no change.
However, from external:
I can ping x.y.z.135 - that should not be!!
I cannot ping x.y.z.130 - that is ok ... (but would not make me wondering if ping would work)
Management interface still reachable from the inside on both interfaces (130 and 135).
Management interface now also reachable from OUTSIDE with x.y.z.135- that's a security issue!!! Bummer!
Hence, it seems that somehow the bridge "turned arround". This also influences other services like the PPTP-VPN which is bound to x.y.z.130. In the "turned arround" mode, this cannot work anymore, since the 130 is now "after" the filtering bridge.
From clients point of view - i.e. internal - everythings seems normal, that is traffic gets routed. Hence, there is no visible change on the inside.
Clearly, the first thing to look at are the interfaces - but there is still everything ok- WAN is bound to x.y.z.130, LAN is bound to x.y.z.135 (bridged) - so this seems ok, however, it behaves not according to this..
So the big question is: Am I doing something wrong, or is this a bug?? How can I force the bridge to always stay in the mode as intended?
Some of the post posted in the last time with respect to tranparent bridging (antispoofing, etc.) seem related, however, nowhere there was mentioned this "turn-arround" - however, also there it might be interesting to check if suddenly the internal ip is reachable from outside - maybe this is the origin of all the problems...
UPDATE: I manged to get back to the "good" behavior after two reboots without changing anything. So there is something non-deterministic with boot up!
Since the two interface are two onbaor intel chips I was suspecting for a short time, that maybe freebsd assings them non-deterministically. However, this theory is disproved with the fact that in both modes the MAC adresses are with the same interfaces:
Good mode: xx-xx-xx-xx-xx-b2 -> em2 (WAN) and xx-xx-xx-xx-xx-b3 -> em3 (LAN)
and also in "bad mode": xx-xx-xx-xx-xx-b2 -> em2 (WAN) and xx-xx-xx-xx-xx-b3 -> em3 (LAN)
UPDATE2: I was too quick with beeing happy... maybe the firewall was not booted completely yet. After a short time of beeing happy, that the management interface was not accessable and also no ping worked from outside... suddenly the "bad mode" was back. Hence there are two possibilities: 1.) The firewall was not bacck yet and I just was too qucik, or worse, the effect can simply happen without boot - that would be really nasty...
Hence, the theory, that the drivers get mismatched does not hold. Other suggestions?