Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    assigning bridge as LAN

    Scheduled Pinned Locked Moved
    Wireless
    4
    7
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pastic
      last edited by pastic

      In my home network, I will plug a router in access point mode to OPT1 for wireless and I want it to become part of my current wired LAN. The manual says to bridge OPT1 to the LAN (and then I presume I must create a rule on OPT1 to allow traffic to LAN Net).
      However, a "Note box" in the manual also says that a better solution in this scenario is to "assign the bridge as LAN" rather than bridge OPT1 to LAN. But it does not elaborate on why it would be better.

      Would that effectively treat both the LAN port and OPT1 as the LAN interface? If yes, I get the impression that this would mitigate the need to create any additional rules compared to what I already have before enable OPT1 and creating the bridge. Would that be correct?

      from the manual:

      Bridging wireless to an OPT interface

      To keep wireless and wired networks on the same IP subnet and broadcast domain while also increasing control over wireless clients, add an OPT interface to the firewall for the access point and bridge the OPT interface to the LAN interface.

      Warning

      Though bridging offers increased control over traffic, it also results in lower performance as all wireless traffic must pass through and be processed by the firewall. Typically, wireless speeds are low enough that this is not a major concern, but as wireless speeds improve the severity of the problem also increases.

      This scenario is functionally equivalent to plugging the access point directly into the LAN switch, except pfSense software can filter traffic from the wireless network to provide protection to LAN hosts and vice versa.

      Note

      A configuration with the bridge assigned as LAN is optimal here, rather than only having the OPT bridged to the existing wired LAN.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @pastic
        last edited by

        @pastic
        I assume, it means to select the bridge as the LAN network port in Interfaces > Assignments.
        WAN and LAN are steady names in pfSense, while other are internally named as OPT1, OPT2, ..., even if you set a custom name.

        P 1 Reply Last reply Reply Quote 0
        • P
          pastic @viragomann
          last edited by

          @viragomann Yes, I take it to mean that as well, but to what end? Why does the manual state that this would be optimal as opposed to bridging OPT1 to LAN, which would also incorporate the wireless into the LAN subnet?

          J 1 Reply Last reply Reply Quote 0
          • J
            Jarhead @pastic
            last edited by

            @pastic I don't think you're getting it. You still are bridging those two interfaces, what it's telling you is to then assign the bridge as it's own interface and use IT as the LAN interface.

            P 1 Reply Last reply Reply Quote 0
            • P
              pastic @Jarhead
              last edited by

              @jarhead With all friendly respect, and please excuse me if I do not get any finer points in the answers, but that part I think that I do actually get, although I admit I am certainly not to be considered well-versed in the land of pfsense. :-)

              Let me put it like this: I am now using my wifi access point on OPT1 to access the world as well as my LAN resources from my smartphone, but I have not assigned the bridge interface as LAN. I have just created a rule on OPT1 to allow "any to LAN Net".

              So it works without assigning the bridge interface as LAN. Yet the manual says it would be optimal to do so.

              Why "optimal"?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @pastic
                last edited by

                @pastic
                You LAN might be already configured with a static IP and a DHCP server. Both have to be unique on the bridge and its interfaces.

                When enabling a DHCP server on LAN (what you might have done, I think), pfSense adds an implicit firewall rule to allow DHCP requests to it.
                If you bridge to wifi to LAN otherwise, you might need to add it manually.
                Maybe you also have other settings on LAN, which would applied to the bridge if you do it the suggested way.

                When using bridges also consider these values in System > Advanced > System Tunables:
                net.link.bridge.pfil_member
                net.link.bridge.pfil_bridge

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  If you assign the bridge itself ab LAN pfSense always considers it as UP which means services running on it are always active and that includes DHCP. In your current setup if you disconnect the LAN cable all wifi devices will stop receiving an IP address.
                  When you assign the bridge interface you get a firewall rules tab for it which means you can filter traffic from LAN and wifi with a single ruleset if you wish. You have to use those sysctls to move where filtering is applied though.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post