Bridge LAN ports to act like a switch

balubeto · Nov 7, 2012, 8:26 AM

See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

Steve

It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

Thanks

Bye

stephenw10 · Nov 7, 2012, 11:37 AM

You can disable the dhcp server. It won't help though. Unless you have spoofed the MAC on LAN Windows will still see it as a new network.

Are you using all static IPs.

Steve

extide · Nov 7, 2012, 6:57 PM

@balubeto:

@stephenw10:

See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

Steve

It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

Thanks

Bye

You probably don't want to do this. When you make the bridge you are essentially replacing Lan0 and Lan1, and Lan2, etc with Bridge0. Nothing will be running directly on Lan0, 1, etc anymore, everything that WAS running on lan0, 1, etc will now be running on bridge0.

So, if you previously had DHCP before and would like to keep it you will need to have it enabled. This is not 'another' DHCP server, this is the DHCP server.

Now, if you were not using DHCP in the first place at all, then yes you would want to disable it.

balubeto · Nov 8, 2012, 4:03 PM

I have found the main problem:

Starting from the default parameters of pfSense and performing the initial setup to make sure that the LAN and WAN interfaces are working with the type of static address, I tried to insert the MAC address of my computer or a MAC fictitious in the MAC address field of the LAN interface of pfSense. Applying these changes and restarting the firewall from the console, Windows 7 SP1 64-bit identifies the connection as a public network not identified. How come?

Thanks

Bye

stephenw10 · Nov 8, 2012, 5:13 PM

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

balubeto · Nov 8, 2012, 5:38 PM

@stephenw10:

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

So, how do I change its type?

Thanks

Bye

matguy · Nov 8, 2012, 5:51 PM

@balubeto:

@stephenw10:

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

So, how do I change its type?

Thanks

Bye

But, after it's set, do the Windows boxes keep notifying you again, later. From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.

balubeto · Nov 8, 2012, 6:32 PM

@matguy:

@balubeto:

@stephenw10:

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

So, how do I change its type?

Thanks

Bye

But, after it's set, do the Windows boxes keep notifying you again, later. From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.

Dropping for a moment the creation of the switch, how do I set a MAC address to the LAN interface preventing Windows 7 from identifying this connection as unidentified public network?

Thanks

Bye

stephenw10 · Nov 8, 2012, 9:23 PM

If you are not using a bridge at all then you should not have to do anything with the MAC address of the LAN NIC. It will always use the real MAC read fro the card itself. Windows should only ask you once 'what type of network are you connecting to?'.

Are you still using all statically assigned IPs?

If it's seeing new networks each time you have a different problem.

What hardware are you running?

Steve

balubeto · Nov 9, 2012, 8:05 AM

@stephenw10:

If you are not using a bridge at all then you should not have to do anything with the MAC address of the LAN NIC. It will always use the real MAC read fro the card itself. Windows should only ask you once 'what type of network are you connecting to?'.

Are you still using all statically assigned IPs?

If it's seeing new networks each time you have a different problem.

What hardware are you running?

Steve

I had done the test without bridge only to understand something.

I always use the static IP.

My firewall is http://www.firewallhardware.it/en/appliance_utm2.html . By chance, is there some parameters of the BIOS that could cause my problem?

Thanks

Bye

stephenw10 · Nov 9, 2012, 11:26 AM

Hmm, well there are quite a few people using that Jetway motherboard and your appliance has the nicer Intel daughter board which is said to be very good. No one has reported similar problems.

At this point you might consider the cause is something different. How many different Windows 7 machines have you tested this with?

Otherwise please post some screenshots of your not working bridge config. You could post your config.xml after you have removed any information you don't want public, passwords IPs etc. We can get a much clearer idea from that.

Steve

balubeto · Nov 9, 2012, 4:16 PM

@stephenw10:

Hmm, well there are quite a few people using that Jetway motherboard and your appliance has the nicer Intel daughter board which is said to be very good. No one has reported similar problems.

At this point you might consider the cause is something different. How many different Windows 7 machines have you tested this with?

Otherwise please post some screenshots of your not working bridge config. You could post your config.xml after you have removed any information you don't want public, passwords IPs etc. We can get a much clearer idea from that.

Steve

For the moment, I'm trying on 10 Windows 7 machine.

I can not understand what snapshots you want? Where is the config.xml file? How do I view it?

Thanks

Bye

johnpoz · Nov 9, 2012, 4:29 PM

"Unfortunately, Windows 7 does not allow to change the network type"

What? You can change the network type whenever you want.

http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html
http://www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html

Now are these win 7 boxes part of a domain?

balubeto · Nov 9, 2012, 5:08 PM

@johnpoz:

"Unfortunately, Windows 7 does not allow to change the network type"

What? You can change the network type whenever you want.

http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html
http://www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html

Now are these win 7 boxes part of a domain?

No, the computers are in a workgroup.

Thanks

Bye

johnpoz · Nov 9, 2012, 5:22 PM

Well then there is no reason why you could not change the type of network your connected too. And it for sure would have NOTHING to do with pfsense if you couldn't

stephenw10 · Nov 10, 2012, 10:06 AM

@balubeto:

Where is the config.xml file? How do I view it?

The config.xml file can be obtained using the backup function under Diagnostics: Backup/Restore:
It contains everything about your pfSense install. Including some stuff you probably don't want to post publically so you should remove that it you do post it here.

I am confused though. :-
Please tell me what state your box is in. Did you get the bridge setup correctly in switch mode? What is working? What is not working?

Steve

balubeto · Nov 11, 2012, 7:32 PM

@stephenw10:

@balubeto:

Where is the config.xml file? How do I view it?

The config.xml file can be obtained using the backup function under Diagnostics: Backup/Restore:
It contains everything about your pfSense install. Including some stuff you probably don't want to post publically so you should remove that it you do post it here.

I am confused though. :-
Please tell me what state your box is in. Did you get the bridge setup correctly in switch mode? What is working? What is not working?

Steve

I have noticed that, until step 4 of your procedure, my computers can access the firewall and get onto the Internet. While if I perform step 5, I can not do anything more.

So, I have attached the config.xml configuration file of my firewall so that you can understand where is the problem.

Also, I noticed that, with this configuration, I can not open the 31950 port even if the firewall log shows that it is open. How come?

Thanks

Bye

config.xml.txt

stephenw10 · Nov 11, 2012, 8:52 PM

Ah OK. Thanks for that.
Two things I notice straight away:

Your WAN has a /8 subnet which is far too large. It should probably be /24.

Your WAN address is in a private IP range so you must have 'Block private networks' unchecked in Interfaces: WAN:
I'm not sure if you have done that already from the config file.
Edit: Now I see you have have unchecked that so ignore that remark.
Is your WAN connected to another router? If so you will need to have port 31950 forwarded on that also.

I see you have not yet added em1 to the bridge, is that because this file is taken after step 4 in my instructions?
Adding the interface to the bridge as in step 5 should have no effect of the other interfaces. Perhaps you are adding it incorrectly? Is there anything connected to em1?

I see you have not spoofed the MAC address yet in this file.

Steve

extide · Nov 12, 2012, 3:41 AM

I believe that you need to be using DHCP, otherwise windows will not allow you to change from public network type. However if you set the bridge MAC to the same as the real mac on the NIC then Windows clients should not even know you changed anything.

stephenw10 · Nov 12, 2012, 3:59 AM

Really? That would be odd. What public network uses static IPs? If are using static addresses it's almost certain to be a private network. :-\

If you set the bridge MAC to one that already exists you will have two devices on the network with the same MAC. Thus will lead to problems.

Steve