Help with VLANS in BRIDGE

broonu

@derelict said in Help with VLANS in BRIDGE:

If you are not getting ARP on all bridge members then either the bridge is configured wrong or the switch is configured wrong.

https://www.netgate.com/docs/pfsense/book/bridging/index.html

You can consider the VLAN interfaces as separate, internal interfaces for bridging purposes.

Not quite sure how you're isolating inter-vlan traffic with firewall rules when you don't know what address range is going to be on what interface but I might not have the full picture of what you are doing there in your DHCP.

thank you for your help.
well, the vlans is out of our control, this is why i have to handle this way. i have a small range to put in DHCP server (100.64.63.0/23). This traffic is routed to another interface (CGNAT) to a box that do the NAT to internet. I could breake this range to put a /25 per vlan, but it will be a static thing, and if that specific vlan grows above 128 clients it will need to be changed. with the same /23 to all vlans i dont need to worry about running out IP's. so this is the scenario: the router receive like 20-30 vlans, those vlans are bridged, using same dhcp server and same captive portal in bridge. mikrotik has a filter that deny traffic forward inside the bridge itself, it just permits the traffic cross. client on vlan 10 get ip and need to auth the same way client in vlan 20, but the traffic between him is denied.

i messing around to find if this is a pfsense or vmware thing...

broonu

@derelict said in Help with VLANS in BRIDGE:

If you are not getting ARP on all bridge members then either the bridge is configured wrong or the switch is configured wrong.

https://www.netgate.com/docs/pfsense/book/bridging/index.html

You can consider the VLAN interfaces as separate, internal interfaces for bridging purposes.

Not quite sure how you're isolating inter-vlan traffic with firewall rules when you don't know what address range is going to be on what interface but I might not have the full picture of what you are doing there in your DHCP.

Captive portal

Captive portal (Captive Portal) is not compatible with transparent bridging because it requires an IP on the interface being bridged, used to serve the portal contents, and that IP must be the gateway for clients. This means that it is not possible, for example, to bridge LAN and WAN and hope to capture clients with the portal.

This can work when bridging multiple local interfaces to all route through pfSense (e.g. LAN1, LAN2, LAN3, etc). It will work if the bridge interface is assigned, the bridge interface has an IP address, and that IP address is used as the gateway by clients on the bridge. See Swapping Interface Assignments for a procedure to place the IP address on an assigned bridge interface.

This is exactly what im doing, but my interfaces are VLAN interfaces.

Derelict

Look at the Private Ports settings in the pfSense bridging advanced settings and see if that doesn't help you isolate them from each other.

See also the sysctl settings for the bridge pfil. In your case, with the Private Ports working, I would switch the defaults so:

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1

That way you only have to worry about rules on the bridge itself, not the member interfaces.

System > Advanced, System Tunables

Derelict

@broonu said in Help with VLANS in BRIDGE:

This is exactly what im doing, but my interfaces are VLAN interfaces.

So if you pcap on the bridge, what shows up for the member interfaces that aren't working?

What about a pcap on the member interface itself?

Bridging VLAN interfaces works fine. I'd look elsewhere for the problem, like the member interfaces not being configured properly to ESXi in the first place.

broonu

@derelict said in Help with VLANS in BRIDGE:

Look at the Private Ports settings in the pfSense bridging advanced settings and see if that doesn't help you isolate them from each other.

See also the sysctl settings for the bridge pfil. In your case, with the Private Ports working, I would switch the defaults so:

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=1

That way you only have to worry about rules on the bridge itself, not the member interfaces.

System > Advanced, System Tunables

sure, this is how im doing, and its working for isolate the traffic inter-vlan.

broonu

@derelict said in Help with VLANS in BRIDGE:

@broonu said in Help with VLANS in BRIDGE:

This is exactly what im doing, but my interfaces are VLAN interfaces.

So if you pcap on the bridge, what shows up for the member interfaces that aren't working?

What about a pcap on the member interface itself?

Bridging VLAN interfaces works fine. I'd look elsewhere for the problem, like the member interfaces not being configured properly to ESXi in the first place.

With tcpdump i see the ARP Request but pfsense dont send the ARP Reply.
Im going to clear everything and reconfigure from scratch.

broonu

@delerict thank you for your time and help!
it was a vmware misconfiguration, e1000 nic instead of vmxnet3.
now i'm facing another problem: there is a interfaces limit to be added in a bridge?

Derelict

Not really that I know of (I use switch ports for things like this, and bridge(4) is silent about any member interface limit) but there is a practical limit where the web ui starts to have problems. It's usually in the hundreds of interfaces though.

broonu

@derelict thank you. the webgui here is starting to be slow with 32 vlans.

mauro.tridici

@broonu Hello, sorry if I'm replying to this old topic, but I'm experiencing the same problem trying to bridge the WAN interface with a VLAN created on a LAN interface.

The behavior is almost the same: no reply to ARP requests from pfsense + I cant ping the pfsense upstream gateway.

Before giving up, I noticed that the WAN and LAN interfaces are E1000 (not VMXNET3).
I would like to change the nic type as last attempt.
Anyway, before doing that, I would like to know if there is a particolar relation between bridge and vmxnet3.

Could you please help me?
Thanks
Mauro