Bridged Ports Are not Acting like a Switch
-
@lonnie
It's been a while since I've messed with bridging in pfSense, but IIRC, the default is to apply the rules on the member ports and not the bridge interface. Check the tunables for the net.link.bridge entries. Alternatively, create rules on the member interfaces to allow the traffic. Or, make things easy and buy a five port switch. You can get one for like $25. -
@lonnie I have not needed a bridge, but did you find the Hangout video where Netgate discusses it? Slides 16+.
https://www.netgate.com/resources/videos-wireless-access-points-with-pfsense -
L Lonnie referenced this topic on
-
@dotdash I had a unused switch (like you're recommending) an arm's length away when I bridged these two ports together, but it seemed wasteful to me to power a switch when all I needed was one additional port for this subnet. I figured it would be more efficient to utilize an available port on the 6100 instead. It works great except for the fact that all devices on the same subnet cannot communicate with devices on the opposite port of the bridge.
I'll try setting rules on the "member interfaces", as you suggest, and will report back if that worked.
-
@steveits I searched through that hour+ video on access points you provided. I did see some mention of bridging, but nothing that revealed what I'm doing wrong.
-
@dotdash Adding permissive rules to the "member interfaces" of these bridged ports had no effect. Those member interfaces do not even have an ip address associated with them. Only the bridge interface has an ip address. I'm not even sure how I was allowed to add firewall rules to those member interfaces, because they have an IPv4 Configuration Type of "None".
So for now this remains unsolved. I'd have better luck getting these devices to communicate with each port being on a separate subset (than the luck I'm having getting these bridged ports to allow communication between each other).
-
-
I'm currently reading the documentation here:
https://docs.netgate.com/pfsense/en/latest/bridges/index.htmlThe ARP Table doesn't even show a device I have plugged into a bridge port. I can access that device from other LANs, but devices on the other bridge port (on the same subnet) cannot.
-
Well, I give up on bridging ports with pfSense.
Making multiple logical interfaces act like ports on a switch, apparently cannot be transparently achieved as easily as I assumed.
My conclusion matches how I've been advised. I'll either install a real switch, or split my devices into one subnet per port.
-
@lonnie
I did something similar years ago with a site consisting only of the firewall and two access points. I think I assigned the bridge as the LAN interface and changed the tuneable to filter on the bridge, not the member interfaces. There are limitations, but a fairly simple configuration should work. -
L Lonnie referenced this topic on
-
I discovered that the type of bridging I was attempting is called internal bridging, the documentation even says it is more efficient to actually use a real switch for that:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html#internal-bridges
I didn't realize the overhead involved.
-
@lonnie Yeah, that's one of the reasons we don't typically recommend bridges.
