Messages

Thank you very much for the reply. I had to restore the backup from a week ago.
I did not configure the rules by hand, I only tried to delete the Snort ones because I thought that the default ones and the ET Telemetry ones were enough.
Although IPS was enabled, I did not have any rules configured to reject packets, only alert.
It seems that the problem could be, as you say, in the bridges. Once I restored the backup I noticed in the logs that packets are filtered at the interface level, and I understand that this should not happen with my configuration:
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface runtime 1
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. runtime 0

The strange thing is that it didn't recover when disabling IDS and uninstalling, even restoring the offline backup and discarding the installation I have continued having problems, you are right it seems to have to do with the ARP tables, although there were no erroneous entries when cleaning them in the firewall and the switches started to work. But it has been working for months without problems, the only difference is that before enabling IDS I updated to version 24.7.11_2.
The need to use the bridges was because in an old commercial firewall that I had for a while to learn, I had it configured like that and I had no problems, but I think I will configure differentiated vlans and remove the bridges.
Thanks anyway. Happy holidays to everyone.
P.S.: I have read how to use suricata-updates, thanks, but I wanted to start with the policies, but I think I will reconfigure the entire network first.

Can someone explain to me what happened?

Hello again.
I have disabled all the snort rules, and I have deleted them as indicated in this post: https://forum.opnsense.org/index.php?topic=11027.0, and my system is now as shown in the image.
I had to restart the system manually because it was not responding and now it is very slow even though Suricata is disabled.
Does anyone have an explanation for what happened to me?

Good morning, after fully configuring my network, following the advice on the forum and reading tutorials, etc... I have started to configure a protection in upper layers, unfortunately my hardware is not enough to support Zenarmor, I have installed and configured Suricata and it has been a disaster. Possibly due to some configuration that I am not doing well. I have chosen to enable it in the internal networks according to the general recommendation.
I have several questions:
1. My network is configured with several bridges to extend the vlans between several cards. Example: vlan1_salon (igc0)->bridge0->vlan1_rooms(igc1). In the system tuneables configuration, filtering is disabled on the interfaces and enabled on the bridge.
All hardware acceleration features are disabled and promiscuous mode is enabled.
In the IDS/IPS interface configuration do I have to select the bridge interface alone?
2. In the $HOME variable I have deleted the predefined networks and set all my subnets/vlans to CIDR. Do I have to define all of them including those not selected in "Interfaces"?
3. Regarding the rules. I have installed the plug-ins for ET Telemetry and Snort, but they are a huge amount for my experience. I have uninstalled both plug-ins to start with the basics, but I cannot delete the rules that had already been downloaded. I understand that enabling the open rules for ET, abuse.ch and the built-in application detection rules is enough for basic and initial protection?
Thank's in advance.

I forgot to mention that I have another managed switch connected to my port 1, all the vlans with internet access go through that port, some of them are the ones I want to extend to the other OPNsense port.
I'm going to focus on working on creating the bridges first to extend the vlans and when I have everything working I'll work on the lacp.
The important thing is that I understand what I'm doing with your explanations and reading what the parameters I've changed mean, thanks Patrick. Little by little I'm a newbie with OPNsense and FreeBSD.
I've already configured a vlan on both ports, changing the ip to the bridge and it seems to work well, I'm going to copy the rules.
Thanks again Patrick, see you around here, I'm still pending to post in the proxy section because I can't get the deep inspection of squid to work with my certificates  :'(, Suricata seems to be working well at the moment.
As I said little by little.

Thanks again Patrick. Yes, I am clear that both ports have to be active and enabled to create the lacp. The switch is managed and supports it, another thing is that the lacp works between different manufacturers, but even if it were a simple failover I would leave it connected, that port is not used, I replaced an old router that also acted as an ap and that did not accept vlans precisely for this.
But through the lacp I would need to pass several tagged vlans and continue to see the devices that are already connected to them on both sides.
I attached a screenshot, sorry my English is not good

One last question.
If I want to take advantage of the other free port, can I create a lacp and include it in the bridge with the vlans?
That part of the house has many devices, 4 PCs, androidtv, AP and I wanted to move the old NAS there which has a 4-port aggregation and provides various services to the whole family.
Thanks again

Oh my god, thanks for the link, I haven't configured it right.
I'm going to try it right now.
I'll have to reconfigure the whole network again because I had created different vlans, the family wanted to kill me  :P.
Thanks a lot Patrick.

Good morning Patrick
Thanks for the reply. The old post I read was a reply from you. I understand that this limitation no longer exists?
I didn't express myself well, I'm sorry for the mistake.
This is how I did it. I created the same vlan id on the second physical port without an IP, and I created a bridge with the old and the new.
Configured like this, should it work?
Thank's.
P.D.: I forgot to mention that in some cases it worked without even assigning the bridge.

Hello everyone,
I have tried to extend the vlans of my network to other ports over a bridge and I have not been able to get it to work properly. In some cases the devices on the vlans communicate with each other but in others they do not.
I have read old posts from two years ago in which this type of configuration is discouraged, and they talk about a limitation in the FreeBSD architecture.
Could someone tell me if this limitation still exists in current versions?

I am attaching a screenshot in case I have not explained myself well, thank very much.

Muy buenas tardes a todos.
Hace unos meses que he montado un OPNsense en un microappliance de cuatro puertos, en el que actualmente utilizo uno para la wan, otro como troncal con varias vlans para una parte de la casa, y un tercer puerto conectado a un antiguo router que esta funcionando como switch y AP que no permite vlans.
El caso es que he adquirido un nuevo switch administrado y un AP para substituir el antiguo router y mi idea era "extender" las vlans ya existentes a esa parte de la casa. Quería hacerlo aprovechando el puerto que no utilizo y montar un lacp de 5GB, ya que se conectara todo el tráfico del AP, varios pcs y un NAS con un agregado de cuatro puertos dando diferentes servicios por varias vlans.
Todavía no me he liado con la agregación, pero al crear un bridge con las mismas vlans en diferentes puertos físicos no funciona.
En otro firewall que tenía los cuatro puertos estaban en el mismo switch y todas las vlans se "veían" y por defecto permitía todo el tráfico entre ellas, o se podía configurar para tener que permitirlo de manera explicita. Pero buscando información en el foro en ingles he encontrado un post de hace un par de años en el que se comenta que FreeBSD tiene esta limitación en su arquitectura y que no se pueden montar vlans encima de un bridge.
Alguien podría decirme si sigue existiendo esta limitación en la versión actual? Para seguir peleándome en esta linea si es que me he equivocado en alguna configuración, o directamente crear vlans diferenciadas.
Muchas gracias.