[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>, Fabrizio Steiner <fabrizio at steiner dash vs dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.3 WAN <-> Opt bridge wrong rules apply
 Date:  Tue, 18 May 2010 19:27:05 -0400
On Fri, Feb 12, 2010 at 7:12 AM, Neil A. Hillard <m0n0 at dana dot org dot uk> wrote:
>
> I too noticed this problem with 1.3 a while back and reverted to 1.2.
> Unfortunately I haven't yet had the chance to run up a test firewall and
> double-check things.
>
> I had the rules initially on OPT1, as per my 1.2 config, upgraded to 1.3

> everything on OPT1 stopped working so I migrated all of the rules to the

> flipped back so I had to migrate the rules back to OPT1!
>

I ran into a situation where things didn't work after upgrading from
1.2x to 1.3 and found one major difference that may be impacting both
people who posted in this thread. if_bridge obeys your Outbound NAT
configuration where the old BRIDGE apparently ignores it, which by
default is going to NAT everything outbound and hose your traffic in
general in unusual ways. In combination with a bridge, this causes
havoc on which rules function correctly and which don't, and you don't
want to NAT across that bridge anyway. You need to enable advanced
outbound NAT under Firewall > NAT, Outbound tab, and don't configure
any NAT rules that would match your bridged interface (if you're only
bridging, don't configure any outbound NAT rules at all). Flip
flopping the rules around could have created states or did something
differently that happened to make it sort of work temporarily, when
the problem is really just the NAT messing with the bridge. I never
could determine exactly how it was getting messed up as it was a
remote system and the lack of tcpdump on m0n0wall hindered any in
depth troubleshooting, but disabling the NAT fixed all the problems
and made the rules behave the same as they did in 1.2x.

Other than that difference, everything will work exactly as it did
previously (except in cases where you weren't filtering at all on the
bridge, it's not possible to do that now).

If your bridge doesn't work the same in 1.3x as it did in 1.2x, where
outbound NAT is properly disabled and you aren't trying to do a
non-filtered bridge, email me off list and I'll take a look at it (I
wrote the if_bridge code change in m0n0wall).