Thanks for info Claudio.
Unfortunately, I have read only "Networking FAQ"
https://www.openbsd.org/faq/faq6.html and there is no info about it.
It would be great to update this page for dummies because just very few
read reference manuals line by line ;-) Most follow guides. I personally
write everything on my web like for children.
My logic behind filtering was simple...bridge/vether handles all and
physical interfaces are in promiscuous mode. I have filtering for
vether0 but didn't imagine DHCP is still at physical interface level.
pf.conf updated:
set skip on em1-3
Only thing that still puzzles me where to filter...bridge0 or vether0.
If I understand correctly, vether0 should be the interface for filtering
because it has got IP address assigned. Physical interfaces and bridge
should be treated as loopback...in other words, not filtered at all.
Windows is not issue because Internet died on my Linux server once DHCP
lease suppose to be renewed. My guess is that during boot DHCP for host
IPs have been acquired before firewall started up and miraculously IPs
have been assigned...only Windows machine didn't make it before firewall.
On 11/03/2021 08:49, Claudio Jeker wrote:
On Wed, Mar 10, 2021 at 08:40:55PM +0100, [email protected] wrote:
Hi,
I did set up OpenBSD router/firewall on PC Engines APU4d4 box.
First interface is WAN that connects to Internet.
Remaining three interfaces are bridged with bridge0 via vether0.
firewall doesn't block LAN/bridge traffic on vether0.
DHCPD runs on bridge.
Two Linux hosts (connected to em2 and em3) connect without problem but
Windows host DHCP requests are blocked on em1.
I didn't find any info regarding pf and bridging.
Please check bridge(4) manpage, especially the NOTES section.
set skip on lo0
set skip on bridge0
This line is useless. Packets never show up on bridge0. You need to add
the physical interfaces and vether0 to your ruleset.
So far I have found a kludge for Windows "set skip on em1"
Once, above by line is present in pf.conf, Win 10 host is allowed to acquire
IP address. Interesting is that Linux has no issues to acquire IP addresses
via DHCP.
Any suggestions, please?
You need to fix your pf.conf.
Is it something screwed up in Windows such as short 3-way-handshake?
I doubt it. Your ruleset is most probably not allowing packets to pass
properly over the bridge. Since you did not share your pf.conf file it is
impossible to give you a better answer.
