Unsolicited source natted lan bridge traffic

[fgerardi]

Hi, I am a senior network admin but I am also new in Opnsense usage.
I created a lan bridge following documentation (https://docs.opnsense.org/manual/how-tos/lan_bridge.html) and everything seems to work.
Except that I discovered that traffic flowing from one lan (bridge) interface to another it is source natted with the wan address. Why?
After some investigations I found out that disabling bridge filter (net.link.bridge.pfil_bridge=0) solves the issue.
But this way I have no firewall filtering.

Would you please explain the logic of this behavior and a possible solution?

Thanks in advance for your help.

[fgerardi]

Hi, I managed to workaround the issue but I still don't understand why opnsense is working this way.

1 - I found that the problem occurs while bridge filter is enabled and you set "Automatic outbound NAT rule generation" in outbound nat mode section
2 - If I set outbound nat mode to "Manual" and replicate the same exact automatic outbound nat rule the problem is still there: at least this one makes sense!
3 - After some investigations it seems that the firewall is ignoring the fact that you set WAN Interface in the nat rule. Documentation says that this is the interface the rule applies to. And by reading this I understand the rule is going to be executed in case a packet is traversing that interface. Instead, the rule seems to be applied even when a packet is traversing other interfaces (not involving wan interface, ie packet traversing from a bridge interface to another).
4 - So, the workaround is to recreate outbound nat rules while setting a filter for destination address (only public networks destinations will be source natted)

Again, can someone explain the rationale behind this behavior?

[Patrick M. Hausen]

Did you assign the bridge interface to LAN in the "assignments" section?

[fgerardi]

Yes, I did