Firewall Config on a transparent Bridge - Questions on FW rules / OVPN IP

[Bear]

Previously, with PFSense, when I made a filtering bridge, all of my rules for what could or couldn't come in from the WAN side were on the WAN device, and rules for what could go out from the network were on the LAN device.  I'm rethinking my ways.

Would it work/be better to place all rules on the filtered bridge interface in Opnsense alone, using the "source" and "destination" options instead, while leaving both members of the bridge unconfigured?  I have a feeling that my PFSense config wasn't optimal, though the docs on using a filtered bridge weren't very helpful from the PFsense side.

Also, unrelated - When setting up an OpenVPN server, my bridge interface has an IP.  However, when in VPN:OpenVPN:Servers, whenever I select my bridged network as the interface, I get an error that says "An IPV4 protocol was selected, but the selected interface has no IPV4 address, when my bridged network interface is the ONLY interface that I've assigned an IP address to.  Does anyone have any thoughts on this as well?

I'm running a transparent bridge due to having a bunch of public IPs that I'd prefer not to 1:1 NAT with.

Any help/thoughts would be appreciated.

-Bear

[AdSchellevis]

Hi Bear,

I'm not using bridging very often, it tends to get complicated for various reasons. From my most recent experience , when sitting in between the traffic (LAN/WAN), I expect you best use the rules on both interfaces in stead of the bridge device itself, direction gets misinterpreted pretty easily (since both members are considered equally by default). When tying two equal networks (LAN+WLAN for example) filtering on the bridge usually works fine, which is also the scenario described in our docs.

As with pfSense you need to take care of the sysctl parameters (keep net.link.bridge.pfil_bridge on 0 when not filtering the bridge).
A full list of parameters can be found in the freebsd man page:

https://www.freebsd.org/cgi/man.cgi?bridge(4)


Best regards,

Ad

[Bear]

Hi Bear,

I'm not using bridging very often, it tends to get complicated for various reasons. From my most recent experience , when sitting in between the traffic (LAN/WAN), I expect you best use the rules on both interfaces in stead of the bridge device itself, direction gets misinterpreted pretty easily (since both members are considered equally by default). When tying two equal networks (LAN+WLAN for example) filtering on the bridge usually works fine, which is also the scenario described in our docs.

As with pfSense you need to take care of the sysctl parameters (keep net.link.bridge.pfil_bridge on 0 when not filtering the bridge).
A full list of parameters can be found in the freebsd man page:

https://www.freebsd.org/cgi/man.cgi?bridge(4)


Best regards,

Ad

I followed the instructions and set the sysctl parameters as required.  Hopefully that'll do.  I'll migrate my rules over from pfsense manually on the appropriate interfaces.

My other question still stands - When trying to get OpenVPN to work, it gives me the error stating that my interface has no IP, however the instructions for a filtered bridge state that only the bridge should have an IP...how do I get around this?

Thanks!

[AdSchellevis]

For the openvpn you probably need to share some more details (screenshots / steps to reproduce).
I expect it should be possible to set an address to the bridge and use it, but to be honest, it's a scenario we see even less often.

[Bear]

For the openvpn you probably need to share some more details (screenshots / steps to reproduce).
I expect it should be possible to set an address to the bridge and use it, but to be honest, it's a scenario we see even less often.

The steps to reproduce are simple.  After configuring the filtered bridge, try to set up an OpenVPN server instance.  It will want an interface to bind to.  The instructions for setting up a filtered bridge state that only the bridge interface should have an IP, and I've made sure that's the case.  However, when configuring the OpenVPN server, selecting the bridge interface to bind to (or any interface for that matter), I get the error of the assigned interface has no IP address.  Even when the bridged interface does.  So...I'm somewhat confused here.  If you want screenshots, please let me know of which pages and I'll post ASAP.  Thanks!

[AdSchellevis]

static ipv4 address? screenshots would probably help, the validation is pretty straightforward https://github.com/opnsense/core/blob/b2560c6eb46e2739a33c8e761db2b9efe541b776/src/www/vpn_openvpn_server.php#L189-L190

You could always check on the console if the bridge actually has an address at the moment (ifconfig), the new overview (Interfaces -> Overview) should also show the current addresses.

[Bear]

You could always check on the console if the bridge actually has an address at the moment (ifconfig), the new overview (Interfaces -> Overview) should also show the current addresses.

Good call.  Even though the UI showed the IP, I evidently didn't apply it, so the Bridged interface had no IP. Sorted!

Onto moving onto moving over more of my firewall rules and seeing if this actually works.  Sadly, it looks like OPNsense won't import my firewall rules.

[Bear]

One more problem.  I followed the OpenVPN Road Warrior instructions, except I omitted the OTP stuff.

I'm getting an error of "mbed TLS: SSL read error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" - Any ideas as to where I should look?  I'm using login names and passwords on OVPN Connect on my iPhone and this error is given after I attempt to connect. 

Finally, updates from the command line time out, I can't fetch suricata lists, and updates from the web seem to time out.  Internet connectivity is there, and I can ping from the web-based ping utility.  Nothing I've found via searches is yielding anything concrete.  Any suggestions there are also appreciated.

This is the last hump I need to get over and then I'm fully on OPNsense.

Thanks again!

[Bear]

I had to revert to my pfsense install because in spite of a firewall rule on my WAN at the top of my list explicitly stating no access to my firewall device (and applied it), I could still access my opnsense config page from the Internet.

I looked over pfsense's guides for a filtered/transparent bridge and opnsense's and they conflict.  opnsense says to give the bridge interface an IP.  PFSense doesn't add another firewall-exposed interface for the filtered bridge but states to only assign an IP to one of the member interfaces.

I’ve set the tunable to filter on the member interfaces only and not on the bridge interface. However while I can connect out, in that setting, none of my servers can be connected to at all. All with the same rules I have in Pfsense.

So I need to understand how this actually should work, otherwise by using a filtered bridge with static IPs between myself and the 'net, following the guide, I've actually got zero Firewall and with the tunables set to only filter on member interfaces, nothing gets in.

Changing my tunables to match my PFSense install blocks everything.  I'm pretty much at a loss at this point with OPNSense.

Help.

[AdSchellevis]

both docs are likely trying to solve different scenario's, in your case. When using the same sysctl settings on pfSense and OPNsense the result should also be similar in this case. But remember, the sysctl tunables are really important here, different choices can indeed result in traffic drops (default policy is drop).

You can always use

Code: [Select]

sysclt -a | grep bridge to check which settings are active.

[Bear]

both docs are likely trying to solve different scenario's, in your case. When using the same sysctl settings on pfSense and OPNsense the result should also be similar in this case. But remember, the sysctl tunables are really important here, different choices can indeed result in traffic drops (default policy is drop).

You can always use

Code: [Select]

sysclt -a | grep bridge to check which settings are active.

The sysctl parameters are only a part of it.  pfsense says that one of the bridge member interfaces needs an IP.  opnsense says the bridge interface itself needs an IP and that neither member interface should have an IP.

I've previously been told that filtering on the member devices is preferable so my tunables are:

I've set the tunables above:

net.link.bridge.pfil_member=1   
net.link.bridge.pfil_bridge=0

Though I've read on the netgate forums that if you set both tunables to 0 and place all firewall rules on the bridge interface, that just works without having to mess with tunables.

So, bottom line:
1) Do I need to give either member interface an IP, or is it the bridge interface that needs an IP? pfsense and opnsense disagree here.  I only want my management interface accessible from the LAN side of the network.
2) What tunables should I set if my firewall rules are on WAN and my OPT1 LAN port with static IPs?


Thanks

[AdSchellevis]

As I've said before, I'm not using this myself, we generally advise people to use routing instead of bridging.

I'm not sure if anyone disagrees, both scenario's are possible, depending on what you want to achieve you can choose one or the other. When placing de machine in between lan/wan I would set an ip on one of its members and choose to filter on the member (which I believe you used before as well). The freebsd manual contains most of the details about bridging and explains the related sysctl settings.

Most of the setups I've seen before use a separate interface for management purposes (which likely helps to simplify things).

Unfortunately I can't spend more time on this, maybe someone else uses the same scenario and wants to step in.

Best regards,

Ad