View Single Post
  #2   (View Single Post)  
Old 6th February 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,719
Default

Welcome back! It's been a long time.

I think that your antispoof rule is the problem, because it isn't designed for use with a bridge, it's designed for a single NIC per subnet. If you use # pfctl -sr you will see that the expansion of `antispoof for $lan` -- $lan = vether0 -- expands to something like this:
Code:
block drop in on ! vether0 inet from 192.168.0.1/24 to any
block drop in inet from 192.168.0.1 to any
The pf.conf(5) man page states:
Code:
     The antispoof directive expands to a set of filter rules which will block
     all traffic with a source IP from the network(s) directly connected to
     the specified interface(s) from entering the system through any other
     interface.
Reply With Quote