Transparent bridge but no inernet on bridge interface

[MrRagga]

Hi,
I am running verision OPNsense 21.1.7_1-amd64.
I followed the documentation https://docs.opnsense.org/manual/how-tos/transparent_bridge.html and configured a bridge interface with DHCP enabled.
The bridge interface is connected to a upstream internet router which serves the bridge interface with an DHCP address.
I am able to connect to the bridge interface to access the OPNsense web interface.

The strange behavior I observed is, that the OPNsense cannot itself connect to the internet via the bridge interface:

I opened to shell, one with a ping and another one doing a tcpdump:

root@OPNsense:~ # tcpdump -i igb1 -n host 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:49:33.330085 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 0, length 64
14:49:33.355622 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 0, length 64
14:49:33.355836 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 0, length 64
14:49:34.330575 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 1, length 64
14:49:34.355178 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 1, length 64
14:49:34.355328 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 1, length 64
14:49:35.394235 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 2, length 64
14:49:35.419240 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 2, length 64
14:49:35.419441 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 2, length 64
14:49:36.395406 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 3, length 64
14:49:36.421182 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 3, length 64
14:49:36.421276 IP 1.1.1.1 > 192.168.178.26: ICMP echo reply, id 33705, seq 3, length 64
14:49:37.402817 IP 192.168.178.26 > 1.1.1.1: ICMP echo request, id 33705, seq 4, length 64

root@OPNsense:~ # ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
92 packets transmitted, 0 packets received, 100.0% packet loss

From this output it does not look like a routing issue, rather then a filterting issue.

For the bridge interface all incoming and outgoing traffic is allowed (see attachment).

Additionaly I changed net.link.bridge.pfil_bridge from default to 1 and net.link.bridge.pfil_member from default to 0.

The only option currently found to enable internet for the OPNsense box itself and be able to e.g. retrieve firmware upgrades is to disable firewall filtering completely via Firewall -> Settings -> Advanced ->  Disable all packet filtering.

Here an output of all filter rules:

# pfctl -s all
TRANSLATION RULES:
no nat proto carp all
no rdr proto carp all
no rdr on igb0 proto tcp from any to (igb0) port = ssh
no rdr on igb0 proto tcp from any to (igb0) port = http

FILTER RULES:
scrub on igb2 all fragment reassemble
scrub on igb0 all fragment reassemble
scrub on igb3 all fragment reassemble
scrub on igb1 all fragment reassemble
scrub on bridge0 all fragment reassemble
block drop in log on ! bridge0 inet from 192.168.178.0/24 to any
block drop in log inet from 192.168.178.26 to any
pass in log quick on lo0 inet6 all flags S/SA keep state label "70fcd47cc0b8782476fce1731eb7eb4c"
block drop in log quick inet6 all label "91515c100a3692cb94121964974ce513"
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
pass in log quick inet6 proto ipv6-icmp all icmp6-type unreach keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type toobig keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state label "1d245529367b2e34eeaff16086aeafe9"
pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state label "1d245529367b2e34eeaff16086aeafe9"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echoreq keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type echorep keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routersol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type routeradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbrsol keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to fe80::/10 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass out log quick inet6 proto ipv6-icmp from (self) to ff02::/16 icmp6-type neighbradv keep state label "acdbb900b50d8fb4ae21ddfdc609ecf8"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state label "42e9d787749713a849d8e92432efdfaa"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state label "8752fca75c6be992847ea984161bd3f1"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state label "71dd196398b3f1da265dbd9dcad00e70"
pass in log quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state label "71dd196398b3f1da265dbd9dcad00e70"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick proto carp from (self) to any label "306de368b07e5782660745341cd22731"
pass log quick proto carp all keep state label "ace7acc1be88f3baee3b75f64fca8a6f"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = http label "b523e02acc7c2758dc28e60501bc95c2"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log on bridge0 proto udp from any port = bootps to any port = bootpc keep state label "8794fba2af10a80a7cd6694545f5f976"
pass out log on bridge0 proto udp from any port = bootpc to any port = bootps keep state label "387b9c2f2783413d29228e81c6e27f02"
pass in log quick on lo0 all flags S/SA keep state label "91e2443ae2e8caf012f9a6e5a8a455c8"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb0 proto tcp from any to (self) port = ssh flags S/SA keep state label "535fb49265487de284cbc79f8048a934"
pass in log quick on igb0 proto tcp from any to (self) port = http flags S/SA keep state label "535fb49265487de284cbc79f8048a934"
pass out log route-to (bridge0 192.168.178.1) inet from (bridge0) to ! (bridge0:network) flags S/SA keep state allow-opts label "d16470f92e546eb1cc63d0d8414acf21"
pass in log quick on igb1 inet proto icmp all keep state label "d80462bd0f5f4db7839ce37d5acf6738"
pass out log quick on igb1 inet proto icmp all keep state label "2255abe718bd9d4b0eaa95123a853c1e"
pass in log quick on igb1 inet all flags S/SA keep state label "56c0bd681b45c2b9059fdb34405fc3cf"
pass in log quick on igb1 inet6 all flags S/SA keep state label "56c0bd681b45c2b9059fdb34405fc3cf"
pass out log quick on igb1 inet all flags S/SA keep state label "797bba2bb0edc676dec18823cdae8109"
pass out log quick on igb1 inet6 all flags S/SA keep state label "797bba2bb0edc676dec18823cdae8109"
block drop in log quick on igb1 inet all label "332710a834c1f8d3eaaba38c885a9360"
block drop out log quick on igb1 inet all label "d6d049b5dae98a0397ac306af917f7db"
pass out log quick on igb0 inet all flags S/SA keep state label "57560aeeec3c6856ac89c82db739c72d"
pass in log quick on igb0 inet all flags S/SA keep state label "84c724704fe974ec269d10b841bd6468"
block drop in log quick on igb0 inet all label "a30a658ac0ebd497abc45b9b13b1aecd"
block drop out log quick on igb0 inet all label "31820796274819aff5a7ce520c566d2e"
pass out log quick on lo0 inet all flags S/SA keep state label "05325fdef78307145a8ee3053a2b16b8"
block drop in log quick on lo0 inet all label "a79a16e4be401f91ecbb92707712b46f"
block drop out log quick on lo0 inet all label "9e693e65e6826c36382b2da578878238"
pass in log quick on igb2 inet all flags S/SA keep state label "02a0b69922af00ebf2a07e7404cb2730"
pass out log quick on igb2 inet all flags S/SA keep state label "653bd7c3c22383592d6df2f9ae03c4dc"
pass out log quick on igb3 inet proto udp from any port = bootpc to any port = bootps keep state label "41a450c8bbded4ae2767718a48e114ee"
pass out log quick on igb3 inet proto udp from any port = bootps to any port = bootpc keep state label "2e664a995ecb77df56f6874da969523d"
pass out log quick on igb3 inet proto tcp from 192.168.178.0/24 to any flags S/SA keep state label "90dcbcf5de35f2e4a6c1752397c26f1b"
pass in log quick on igb3 inet from any to 192.168.178.23 flags S/SA keep state label "298e85603ec04386fb72dd55c4b2a333"
pass in log quick on igb3 inet from any to 192.168.178.24 flags S/SA keep state label "ff9b91f4fb97c6ecc01969640217b9d1"
pass in log quick on igb3 inet all flags S/SA keep state label "18e4965afaaa9b82588bb9da85180eea"
pass out log quick on igb3 inet all flags S/SA keep state label "11bc15649131440ccf0d0ea7ff44c37a"
block drop in log quick on igb3 inet all label "4a79e200d71cb7f98c6355b529b70e5d"
block drop out log quick on igb3 inet all label "cfe61624757dacfb735b8b3623b01d3f"
pass in log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all flags S/SA keep state label "86fc54f838e92bf09103bbb5ee3931e7"
pass in log quick on bridge0 inet6 all flags S/SA keep state label "86fc54f838e92bf09103bbb5ee3931e7"
pass out log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all flags S/SA keep state label "ae53026578b5410162b9a17442c17aa5"
pass out log quick on bridge0 inet6 all flags S/SA keep state label "ae53026578b5410162b9a17442c17aa5"
block drop in log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all label "e3d8a2996db5a5d66d996c8b6af8c1c9"
block drop out log quick on bridge0 reply-to (bridge0 192.168.178.1) inet all label "616243682f4138671e28923367f87bcc"

Any help appreciated, since I don't know what I am doing wrong.

[errored out]

Why do you have 2 DHCP servers configured?  1 on the External router and one on the bridge itself.