OpenBSD 上桥接以太网接口及其他问题

我目前正在设置 OpenBSD 防火墙、路由器和 dns 服务器。我一直在遵循各种在线指南，其中大部分配置来自 OpenBSD 站点，而 pf 配置则改编自另一指南。

以下是主要链接：

桥接设置 —https://www.openbsd.org/faq/faq6.html

PF 设置 —https://www.openbsd.org/faq/pf/example1.html,https://openbsdrouterguide.net

尝试此操作时，我有两个主要问题不确定如何解决。第一个问题是 OpenBSD 指南中所解释的桥无法正常工作（接口没有 IP）。 WAN 端口确实成功从 ISP 获取 IP，我可以 ping 通 1.1.1.1 以及 openbsd.org 和 google.com 等网站。但是，当我尝试执行 fw_update 或 pkg_add 来维护系统时，我收到一条错误消息，指出没有到主机的路由。

我的 pf.conf 无法正确加载，因为它说存在语法错误并且无法为网桥分配 IP。我检查了 pf.conf，但找不到语法错误在哪里。

这是我的 pf.conf：

# MACROS
pubif = "em0"
bridge = "bridge0"
wifi = "em5"

# TABLES
table <martians> {0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 255.255.255.255/32}

# RULES
set skip on lo0

# Spoofs
block in from no-route
block in quick from urpf-failed

# Block Non-routes
block in quick on $pubif from <martians> to any
block return out quick on $pubif from any to <martians>

# Default Block
block return in on {$bridge $wifi}
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
block drop in log on $pubif

# Allow ICMP
match in on $pubif inet proto icmp icmp-type {echoreq} tag ICMP_IN
block drop in on $pubif proto icmp
pass in proto icmp tagged ICMP_IN max-pkt-rate 100/10

# Router to Internet
pass out inet from $pubif

# Interfaces to Internet
pass in on {$bridge $wifi}

# Block DNS not originating from server
block return in quick on $bridge proto {udp tcp} to ! $bridge port {53 853}
block return in quick on $wifi proto {udp tcp} to ! $wifi port {53 853}

# Allow LAN
pass out on {$bridge $wifi} inet keep state

# NAT Rules
pass out on $pubif inet from $bridge:network to any nat-to ($pubif)
pass out on $pubif inet from $wifi:network to any nat-to ($pubif)

这是我的unbound.conf：

server:
    interface: 127.0.0.1
    interface: 10.0.0.1
    interface: 10.0.1.1

    access-control: 0.0.0.0/0 refuse
    access-control: ::0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    access-control: 10.0.0.0/24 allow
    access-control: 10.0.1.0/24 allow

    hide-identity: yes

    hide-version: yes

    prefetch: yes

    private-address: 10.0.0.0/16

    auto-trust-anchor-file: "/var/unbound/db/root.key"
    root-hints: "/var/unbound/db/root.hints"

    cache-min-ttl: 3600
    serve-expired: yes

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

这是我的 dhcpd：

subnet 10.0.0.0 netmask 255.255.255.0 {
    option domain-name-servers 10.0.0.1;
    option routers 10.0.0.1;
    range 10.0.0.32 10.0.0.254;
}
subnet 10.0.1.0 netmask 255.255.255.0 {
    option domain-name-servers 10.0.1.1;
    option routers 10.0.1.1;
    range 10.0.1.32 10.0.1.254;
}

我的vether0inet 10.0.0.1 255.255.255.0 10.0.0.255

我的桥0

add vether0
add em1
add em2
add em3
add em4
up

桥接接口在其主机名中简单地标记为 up。if 和 em5 将连接到接入点，并用其自己的 IP 进行标记，以将其与网络的其余部分 (10.0.1.1) 分开。

rc.conf.local 有以下几行：

dhcpd_flags=vether0
unbound_flags=
unbound_timeout=240

此时，我不太确定我做错了什么。我觉得我已经遵循了所有指示。我最不确定的一个区域是 vether0 和bridge0。也许我做得不正确？如果有人看到我的错误，如果您能指导我修复它，我将不胜感激。

谢谢

编辑：

ifconfig -a：

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
    index 8 priority 0 llprio 3
    groups: lo
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
    inet 127.0.0.1 netmask 0xff000000
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
    lladdr 00:e0:67:2b:a9:ec
    index 1 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:e0:67:2b:a9:ed
    index 2 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
em2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:e0:67:2b:a9:ee
    index 3 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
em3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:e0:67:2b:a9:ef
    index 4 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
em4: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:e0:67:2b:a9:f0
    index 5 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
em5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 00:e0:67:2b:a9:f1
    index 6 priority 0 llprio 3
    media: Ethernet autoselect (none)
    status: no carrier
    inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
enc0: flags=0<>
    index 7 priority 0 llprio 3
    groups: enc
    status: active
bridge0: flags=41<UP,RUNNING> mtu 1500
    index 9 llprio 3
    groups: bridge
    priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
    em4 flags=3<LEARNING,DISCOVER>
        port 5 ifpriority 0 ifcost 0
    em3 flags=3<LEARNING,DISCOVER>
        port 4 ifpriority 0 ifcost 0
    em2 flags=3<LEARNING,DISCOVER>
        port 3 ifpriority 0 ifcost 0
    em1 flags=3<LEARNING,DISCOVER>
        port 2 ifpriority 0 ifcost 0
    vether0 flags=3<LEARNING,DISCOVER>
        port 10 ifpriority 0 ifcost 0
vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    lladdr fe:e1:ba:d0:86:5a
    index 10 priority 0 llprio 3
    groups: vether
    media: Ethernet autoselect
    status: active
    inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
    index 11 priority 0 llprio 3
    groups: pflog

pfctl -nf /etc/pf.conf：

no IP address found for em0
/etc/pf.conf:33: could not parse host specification
no IP address found for bridge0
/etc/pf.conf:39: could not parse host specification
no IP address found for bridge0:network
/etc/pf.conf:49: could not parse host specification