Bridge not Forwarding ARP

Dan Lists lists.dan at
Thu Apr 25 00:37:08 UTC 2019

I am trying to set up a bridged firewall in VMWare.   I have a test setup
like this:

Internal  ---  vswitch  --- (em2) Filter (em1) -- switch -- External

The Internal, Filter, and External servers are all running FreeBSD 11.2.
Filter has a bridge0 using members em1 (external side) and em2 (internal

If I ping from Internal to External I see ARP Requests on em2, bridge0, and
em1 of Filter.  I see ARP Replies on em1 but they do not show up on
bridge0.  This is the same with or without a firewall running on Filter.

If I ping from External to Internal then I see both ARP Requests and
Replies on all interfaces and the ping works.

I searched and read documentation and everything I can find says that ARP
packets should be forwarded over the bridge.   Why are the ARP Replies only
being forwarded in one direction?

I was looking at sysctl output and I found kern.features.security_mac but
google search didn't turn up and documentation.   I tried to change it
(sysctl and loader.conf) but it seems hard coded to 1.

I'm not really sure what to try.  Any help would be appreciated.

