[SOLVED] How to exclude L2 interfaces from the firewall ?

Started by ajm, February 06, 2022, 04:20:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2022, 04:20:53 PM Last Edit: February 06, 2022, 10:35:46 PM by ajm
I'm working on an OPNsense 22.1 configuration which includes several VLAN trunk ports, which has necessitated the creation of a number of L2-only interfaces, to serve as bridge members. The L3 Interfaces 'proper' are configued on the bridges.

The default OPNsense firewall behaviour is include ALL interfaces. So effectively, traffic ingressing the system is passing though the firewall twice, once through the L2 interface and once through the L3 Interface.

This seems unnecessary and undesirable, so I would prefer to exclude all the L2 interfaces from the firewall.

What's the best way to do this ?

TIA
February 06, 2022, 08:16:21 PM #1
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 06, 2022, 09:20:55 PM #2 Last Edit: February 06, 2022, 09:24:12 PM by ajm
Many thanks, I'll reply here to keep the topic of this thread.

WRT to Step 6 in: 'How to set up a LAN bridge'
https://docs.opnsense.org/manual/how-tos/lan_bridge.html

I tried setting:

Code Select

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1


After this change my test iperf3 connection between two test servers connecting via the bridge, failed completely.

I also noted, in the GUI, under Firewall:Rules, all the L2 bridge member interfaces were STILL LISTED. This is somewhat counterintuitive as I would have expected net.link.bridge.pfil_member to have removed these interface from the firewall.

I reverted the change to:

Code Select

net.link.bridge.pfil_member=1
net.link.bridge.pfil_bridge=0


And connectivity was restored between the two test servers. All I can think is that (a) some other config change was needed alongside the two tunables, or (b) the tunables no longer function correctly in OPNsense 22.1.

As I have a good throughput even with the 'double-filtering', I don't want to get bogged-down with these tunables. But if a solution can be found, I would of course prefer a 'cleaner' solution.
February 06, 2022, 09:52:21 PM #3 Last Edit: February 06, 2022, 09:54:22 PM by ajm
OK, so I couldn't help myself having another look at this and TBH I wish I hadn't..

I reset the two tunables:

Code Select

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1


And re-ran the iperf3 test between the two servers.

The L3 Interface address on the bridge in question is 10.0.16.2. The servers are on 10.0.16.7 & 10.0.16.8.

I checked the Firewall:Log Files:Live View. I saw that the iperf3 test traffic between the two servers was hitting the default deny rule on the bridge L3 interface !

Why is it even going there ? Does not compute..
February 06, 2022, 10:30:52 PM #4 Last Edit: February 06, 2022, 10:45:02 PM by ajm
Ok.. Whew ! It seems I'm not the first to have been caught out by this:

https://forum.netgate.com/topic/90384/help-clarify-my-understanding-of-the-net-link-bridge-pfil-tunables-please/2

To enable the expected behaviour of a bridge, eg. that frames are forwarded transparently between member ports, the two tunables must both be set to zero:

Code Select

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=0


My iperf3 test traffic is now flowing normally between the two servers without hitting the bridge L3 interface.

However the throughput benefit acheived by removing the 'double-filtering' was marginal, ~895Mbit > ~915Mbit. Oh welll.. It's still 'fine' :)

PS. The OPNsense GUI under Firewall:Rules is MISLEADING on this as it still shows all the L2 interfaces and includes a message: "No L2_interfaces rules are currently defined. All incoming connections on this interface will be blocked until you add a pass rule. Exceptions for automatically generated rules may apply." This is INCORRECT with the tunables set as above.
Print
Go Up Pages1
User actions