Filtering bridge(4) traffic

[Peter Jeremy]

I'm successfully using pf(4) on FreeBSD 9.2 as a firewall and would like to
also use the box as an AP.  At this stage I'm only using IPv4.

As originally configured, I have re0 connected to the Internet, em0
connected to my internal LAN and a couple of jails attached to loopback
interfaces.  All the interfaces are interconnected using nat/rdr and filter
rules.

I'm trying to add an AP (run0/wlan0), bridged with em0, to replace an
existing standalone AP.  At this point, I don't need to filter packets
between wlan0 and em0.

I've successfully migrated my rules from em0 to bridge0 and can correctly
block/pass traffic between the firewall (and Internet) and internal devices
via either em0 or wlan0.  New connections between em0 and wlan0 also work
but existing connections (eg clients failing over between wired and
wireless) fail - apparently due to missing state table entries.

I don't understand why packets between wlan0 and em0 are being filtered and
would appreciate any insights.

Relevant sysctl parameters (all default):
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 1

Extract from pf.conf:

set skip on lo0
scrub in all
nat/rdr rules...
block out log all
block in log all
block in quick proto udp from any to any port { netbios-ns, netbios-dgm, who, ldap, 1900, 3902, mdns, 9956 }
pass in quick on em0 tag em0
pass in quick on wlan0 tag wlan0
pass out on wlan0 all tagged em0
pass out on em0 all tagged wlan0
pass out on bridge0 all tagged em0
pass out on bridge0 all tagged wlan0
other filtering rules...

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20140715/aa2ef412/attachment.sig>