Hi Everybody,
I'm encountering a problem routing packets from the management interface
of my OpenBSD 4.6 system through a transparent bridge on the same machine.
Our basic set-up is we have a large-ish LAN behind the OpenBSD box.
The OpenBSD box acts as a firewall between the LAN and the outside world.
This is accomplished by having a transparent bridge running on the OpenBSD
box that connects the rest of the LAN to the router, i.e.:
+--------+ +--------------------+ +--------+
| LAN |<- em2 ->| Transparent bridge |<- em3->| Router |
+--------+ +--------------------+ +--------+
Note: em2 and em3 are the two interfaces on the OpenBSD box that make up
the transparent bridge.
Also, the OpenBSD box has a management interface (em0) which connects to
the LAN switch.
All of the firewall rules between the LAN and the router appear to be
working correctly and traffic is passed as we expect *except* when it
originates from the management interface (em0). If we disable PF or we put
"skip on em0" in the pf.conf, traffic from the management interface to
the outside world passes over the bridge as expected. If however, PF is
enabled on em0, it doesn't work. I've reduced the filter set to the
smallest possible that reproduces the problem:
block log all
pass log quick on em0
pass log quick on em2
pass log quick on em3 inet proto udp from any to <dns_servers> port 53
pass log quick on em3 inet proto udp from <dns_servers> port 53 to any
We're using DNS as an example, but we've verified that this happens with
all traffic. The strange thing is that if we run a tcpdump on pflog0, we
don't see any traffic being blocked. Furthermore, if we run tcpdump on
em0, we see the DNS request and reply packets cross the interface. This
indicates to us that the DNS reply packet from the DNS server is getting
back to the machine, but is not being passed to the application for some
reason. We also noticed something else strange: when any host other than
the management IP sends a DNS request packet, we see the packet pass in on
em2 and out on em3. When the management interface sends a DNS packet out,
we see it pass in on em2 but we don't ever see it pass out em3 (it must
reach the router somehow, though, because as mentioned we do see the
response packet from the server).
At this point, I'm really not sure what's going on. Traffic from the
management interface should in theory be treated the same as any other
traffic crossing the bridge, but that doesn't seem to be the case. If
anyone could provide any suggestions of where we're going wrong here,
they would be much appreciated. Unfortunately, the way our network is
designed requires that our firewall operate on a transparent bridge.
Best Wishes,
Tim Miller
