Messages

1

General Discussion / Internal LANs isolation on transparent bridge mode

« on: January 14, 2024, 03:14:24 pm »

Hi,
I'm trying to set up a transparent filtering bridge on a ESX hypervisor, I have to filter the traffic of two different VLANs (10 and 20), so I created two different bridge in opnsense. Everything seems to work fine except the isolation between the internal segments of the LANs. The PCs on different internal LAN can communicate to each other.


Code: [Select]

                                +---------------------------+
                                |                           |
        .10.1                   |          Bridge1          |
        .20.1                   | +------+         +------+ |
       +----+                   | |VLAN10+---------+VLAN10| |
       | GW |                   | +------+         +------+ |
       ++--++                   |                           |
        |  |             +------+                           +-----+
        |  |             |      |          Bridge2          |     |
 .10.2  |  |   .20.2     |      | +------+         +------+ |     |      .10.3       .20.3
+-----+ |  |  +-----+    |      | |VLAN20+---------+VLAN20| |     |     +-----+     +-----+
| PC1 | |  |  | PC2 |    |      | +------+         +------+ |     |     | PC3 |     | PC4 |
+--+--+ |  |  +--+--+    |      |                           |     |     +--+--+     +---+-+
   |    |  |     |       |      +---------------------------+     |        |            |
   |    |  |     |       |                                        |        |            |
+--+----+-++-----+--+----+----+                              +----+----+---+-----+------+--+
|         |         |         |                              |         |         |         |
| VLAN 10 | VLAN 20 |  Trunk  |                              |  Trunk  | VLAN 10 | VLAN 20 |
|         |         |         |                              |         |         |         |
+---------+---------+---------+                              +---------+---------+---------+
           vSwitch1                                                     vSwitch2


The rules of the bridge interfaces are:
==PASS any from source 192.168.10.0/24 (Bridge1) / 192.168.20.0/24 (Bridge2) 
==BLOCK any

The PASS rules are necessary to let the packets from the internal segment of the LAN (vSwitch2) reach the external segment of the LAN  (vSwitch1),
but it works in both way in case of bridge interfaces. So there will be also packets flowing througth the external segmet to the internal segment of the LAN,
but this is not an issue at the moment.

Promiscuous mode is activated on the "trunk" portgroup of both the vSwitches (this is mandatory in case of bridging two vSwitches in ESX) 


With the above settings this is what happens:

PC1 can ping PC2 (no bridges involved)
PC2 can ping PC1 (no bridges involved)

PC1 can ping PC3 but can't ping PC4 (bridges involved and rules functioning)
PC2 can ping PC4 but can't ping PC3 (bridges involved and rules functioning)

PC3 can ping PC1 and PC2 (bridges involved and rules functioning)
PC4 can ping PC1 and PC2 (bridges involved and rules functioning)

PC3 can ping PC4 (bridges involved and rules NOT functioning)
PC4 can ping PC3 (bridges involved and rules NOT functioning)

So the firewall doesn't block the traffic from the internal segment of LAN 10 to the internal segment of LAN 20 and viceversa.

I tried to put this rule in both the bridge interfaces:
==BLOCK any from source 192.168.20.0/24 (Bridge1) / 192.168.10.0/24 (Bridge2)
but it didn't work. 

I think this is due to the statefulness of the firewall, once the packet go from the internal LAN to the external LAN to reach the GW it has the permission to came back in the  internal side even if it is on a different LAN.

Is there a way to avoid this behaviour? Is it normal in transparent bridge mode or is due to the virtualizzation of the firewall?