Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Unsolicited source natted lan bridge traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unsolicited source natted lan bridge traffic (Read 1743 times)
fgerardi
Newbie
Posts: 14
Karma: 0
Unsolicited source natted lan bridge traffic
«
on:
September 29, 2020, 08:02:00 am »
Hi, I am a senior network admin but I am also new in Opnsense usage.
I created a lan bridge following documentation (
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
) and everything seems to work.
Except that I discovered that traffic flowing from one lan (bridge) interface to another it is source natted with the wan address. Why?
After some investigations I found out that disabling bridge filter (net.link.bridge.pfil_bridge=0) solves the issue.
But this way I have no firewall filtering.
Would you please explain the logic of this behavior and a possible solution?
Thanks in advance for your help.
Logged
fgerardi
Newbie
Posts: 14
Karma: 0
Re: Unsolicited source natted lan bridge traffic
«
Reply #1 on:
October 04, 2020, 09:48:59 am »
Hi, I managed to workaround the issue but I still don't understand why opnsense is working this way.
1 - I found that the problem occurs while bridge filter is enabled and you set "Automatic outbound NAT rule generation" in outbound nat mode section
2 - If I set outbound nat mode to "Manual" and replicate the same exact automatic outbound nat rule the problem is still there: at least this one makes sense!
3 - After some investigations it seems that the firewall is ignoring the fact that you set WAN Interface in the nat rule. Documentation says that this is the interface the rule applies to. And by reading this I understand the rule is going to be executed in case a packet is traversing that interface. Instead, the rule seems to be applied even when a packet is traversing other interfaces (not involving wan interface, ie packet traversing from a bridge interface to another).
4 - So, the workaround is to recreate outbound nat rules while setting a filter for destination address (only public networks destinations will be source natted)
Again, can someone explain the rationale behind this behavior?
«
Last Edit: October 04, 2020, 10:13:57 am by fgerardi
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6826
Karma: 573
Re: Unsolicited source natted lan bridge traffic
«
Reply #2 on:
October 04, 2020, 01:42:34 pm »
Did you assign the bridge interface to LAN in the "assignments" section?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
fgerardi
Newbie
Posts: 14
Karma: 0
Re: Unsolicited source natted lan bridge traffic
«
Reply #3 on:
October 04, 2020, 01:54:55 pm »
Yes, I did
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Unsolicited source natted lan bridge traffic