Noob pulling out hair trying to bridge fxp1 and ral0

stephenw10

@GruensFroeschli:

You should at no point loose connectivity with the webgui.

Ha! I don't think I've ever done this first time without loosing connectivity, especially on the two NIC bridge where you don't have spares to assign to the bridge first. Could just be me.

I think you have forgotten to say you need to change two sysctl values in System: Advanced: System Tunables:

net.link.bridge.pfil_member 	Set to 0 to disable filtering on the incoming and outgoing member interfaces.	
net.link.bridge.pfil_bridge 	Set to 1 to enable filtering on the bridge interface.

If you don't do this (before you create the bridge) then when you switch LAN to the bridge interface it's firewall rules will not be applied and you will be locked out.

Steve

GruensFroeschli

@stephenw10:

@GruensFroeschli:

You should at no point loose connectivity with the webgui.

Ha! I don't think I've ever done this first time without loosing connectivity, especially on the two NIC bridge where you don't have spares to assign to the bridge first. Could just be me.

Haha :D
Yeah you're right. I can't count the times i shut myself out before i realized in what order i have to do stuff to not loose access ^^"
But if you add the bridge first as an additional interface without removing the real interfaces, you keep access.

I think you have forgotten to say you need to change two sysctl values in System: Advanced: System Tunables:

net.link.bridge.pfil_member 	Set to 0 to disable filtering on the incoming and outgoing member interfaces.	
net.link.bridge.pfil_bridge 	Set to 1 to enable filtering on the bridge interface.

If you don't do this (before you create the bridge) then when you switch LAN to the bridge interface it's firewall rules will not be applied and you will be locked out.

Steve

I like to keep the filtering on each interface.
Well… in homesetups it comes down to three "allow-all" rules

mrwho

@GruensFroeschli:

You dont assign the bridge to an interface.
You add interfaces to a bridge.

Sorry for being so dense, but if I don't assign the bridge to an interface, how do I give it an IP?

Thanks.

GruensFroeschli

After creating the new bridge:
go to interfaces –> assign.
click the little + at the bottom.
Now assign the new bridge itself as interface.

mrwho

@GruensFroeschli:

You dont assign the bridge to an interface.
You add interfaces to a bridge.

@GruensFroeschli:

After creating the new bridge:
go to interfaces –> assign.
click the little + at the bottom.
Now assign the new bridge itself as interface.

Oh, so it's a semantic's thing. Sorry for my confusion.

So, my doubt is still this: can I assign it to an OPT interface, or must it be a specific interface (LAN or other)?

Thanks again.

stephenw10

Once you create the bridge you can assign it the same as any other NIC. So if you go to Interface: Assign: and add a new interface it will appear as OPT* (probably OPT2 in your case).
But here's the thing, you want to end up with bridge0 assigned to LAN since the LAN interface is treated differently by pfSense (it has default rules etc). However in order to do that you have to unassign the current LAN NIC and that's when you'll probably end up locked out!  ;)
Also just be aware of the sysctl values that affect how the firewall filtering is done on the bridge interface. Also easy to lock your self out with rules in the wrong place or no rules.

It's a minefield! Once you get your head around it it's good from a conceptual point of view though.

Steve

mrwho

It woldn't be so bad if it could be done on the local terminal, as I have a monitor/keyboard hooked in. But once I get locked out all I can do is reassign the interfaces, the IP or, if it's really crooked up, reset to factory defaults and start from scratch - which I did four times until now.

GruensFroeschli

To work around this:
Create some temporary firewall rule on the WAN interface to allow you to the webgui.
Connect a computer to the same subnet than your WAN and do the configuration via the WAN interface.
You shouldn't be able to lock yourself out this way ;)

Another way: if you are configuring this from a linux machine.
Add a VLAN interface on the pfSense, and add a VLAN interface on your linux machine

syntax something along the line of:

ip link add link eth0 name eth0.100 type vlan id 100

Essentially create another logical independent interface on top of the physical interface.

stephenw10

If you lock yourself out with a firewall rule mistake you can temporarily disable the firewall completely from the console with:

pfctl -d

Then re-enable it once you put the rules right with:

pfctl -e

Other options are listed here:
http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

Steve

mrwho

I created the bridge and am now accessing the webgui through the wan interface. I'm trying to ping the Bridge IP (assigned to the LAN interface) but I'm not able to ping it. If I disconnect the Wan cable, I can't access the webgui through the WLAN connection. What am I missing?

mrwho

I was here thinking, can I forget the entire bridging thing and do the following:

LAN:
IP - 10.0.0.254
DHCP Pool - 10.10.0.1 to 10.10.0.254

WLAN:
IP - 10.0.0.253
DHCP Pool - 10.0.10.1 to 10.0.10.254

And then make them be able to see eachother? I'm assuming that, if possible, it couldn't be done by using bridging. But My knowledge doesn't go that far. Also, if possible, what could be the drawbacks compared to bridging?

wallabybob

@mrwho:

I created the bridge and am now accessing the webgui through the wan interface. I'm trying to ping the Bridge IP (assigned to the LAN interface) but I'm not able to ping it.

Ping from where? Presumably you created a firewall rule on the WAN interface to allow access to the webgui. Does that rule also allow pings?

Please post the ping command you are using and the response. That is much more informative than "can't ping".

@mrwho:

If I disconnect the Wan cable, I can't access the webgui through the WLAN connection. What am I missing?

It difficult for me to say what you are missing since I don't know EXACTLY what you have done. (It is crucial to get the details correct.) Please post the output of pfsense shell commands:```
ifconfig; /etc/rc.banner; sysctl -a | grep bridge

wallabybob

@mrwho:

I was here thinking, can I forget the entire bridging thing and do the following:

LAN:
IP - 10.0.0.254
DHCP Pool - 10.10.0.1 to 10.10.0.254

WLAN:
IP - 10.0.0.253
DHCP Pool - 10.0.10.1 to 10.0.10.254

No, the DHCP pool needs to be in the same subnet as the interface IP address. AND you can't have distinct interfaces in the same subnet.

@mrwho:

Also, if possible, what could be the drawbacks compared to bridging?

If you have two interfaces bridged then broadcast traffic gets forwarded between the interfaces and that helps Windows systems "see" each other. If the interfaces are not bridged then broadcast traffic doesn't get forwarded between the interfaces and systems can generally still see each other with the right incantation but not as "transparently".