Bridged Ports Are not Acting like a Switch
-
On a Netgate 6100, I've bridged the two physical ports that would normally be LAN3 and LAN4.
Basically, I'm wanting those two ports to act like a 2 port switch, but its not acting that way.
I can access all devices downstream from both of these bridged ports, and all devices downstream from both ports have static IP addresses that are on the same subnet.
The issue is that no devices on one of the bridged-ports can talk to any of the devices on the other bridged-port. I can access everything from another LAN, and public services can be accessed via port-forwards going to devices downstream from both ports.
However, (from any device downstream of one of these bridged-ports) I cannot even ping devices on the same subnet if they're down stream from the opposite port of the bridge.
Apparently there is more to bridging than I know. I thought that after I bridged the two ports together, that they'd basically act like one logical port, and that all device could be plugged into either of those ports and communicate with each other on this single subnet.
I've written firewall rules on the bridge interface that are very permissive, telling the interface that any device on the subnet can talk to any other device on that same subnet (yet typically you wouldn't expect to have to permit traffic on the same subnet). These rules have no effect, even though all devices, plugged into the two ports, are on the same subnet, if a device is downstream from one port, it cannot talk to a device that's down stream from the other port in the bridge.
I have no rules set for LAN3 or LAN4, I'm surprised that the firewall even shows me those sub-firewalls after bridging LAN3 and LAN4 together. To even see them there as an interface, after bridging them, is a point of confusion for me.
So, what steps I'm I likely missing that will ultimately reach my goal of making these two bridged ports act like a switch for all devices on the subnet?
-
@lonnie
It's been a while since I've messed with bridging in pfSense, but IIRC, the default is to apply the rules on the member ports and not the bridge interface. Check the tunables for the net.link.bridge entries. Alternatively, create rules on the member interfaces to allow the traffic. Or, make things easy and buy a five port switch. You can get one for like $25. -
@lonnie I have not needed a bridge, but did you find the Hangout video where Netgate discusses it? Slides 16+.
https://www.netgate.com/resources/videos-wireless-access-points-with-pfsense -
L Lonnie referenced this topic on
-
@dotdash I had a unused switch (like you're recommending) an arm's length away when I bridged these two ports together, but it seemed wasteful to me to power a switch when all I needed was one additional port for this subnet. I figured it would be more efficient to utilize an available port on the 6100 instead. It works great except for the fact that all devices on the same subnet cannot communicate with devices on the opposite port of the bridge.
I'll try setting rules on the "member interfaces", as you suggest, and will report back if that worked.
-
@steveits I searched through that hour+ video on access points you provided. I did see some mention of bridging, but nothing that revealed what I'm doing wrong.
-
@dotdash Adding permissive rules to the "member interfaces" of these bridged ports had no effect. Those member interfaces do not even have an ip address associated with them. Only the bridge interface has an ip address. I'm not even sure how I was allowed to add firewall rules to those member interfaces, because they have an IPv4 Configuration Type of "None".
So for now this remains unsolved. I'd have better luck getting these devices to communicate with each port being on a separate subset (than the luck I'm having getting these bridged ports to allow communication between each other).
-
-
I'm currently reading the documentation here:
https://docs.netgate.com/pfsense/en/latest/bridges/index.htmlThe ARP Table doesn't even show a device I have plugged into a bridge port. I can access that device from other LANs, but devices on the other bridge port (on the same subnet) cannot.
-
Well, I give up on bridging ports with pfSense.
Making multiple logical interfaces act like ports on a switch, apparently cannot be transparently achieved as easily as I assumed.
My conclusion matches how I've been advised. I'll either install a real switch, or split my devices into one subnet per port.
-
@lonnie
I did something similar years ago with a site consisting only of the firewall and two access points. I think I assigned the bridge as the LAN interface and changed the tuneable to filter on the bridge, not the member interfaces. There are limitations, but a fairly simple configuration should work. -
L Lonnie referenced this topic on
-
I discovered that the type of bridging I was attempting is called internal bridging, the documentation even says it is more efficient to actually use a real switch for that:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html#internal-bridges
I didn't realize the overhead involved.
-
@lonnie Yeah, that's one of the reasons we don't typically recommend bridges.
