Issues with bridging Lan and WLan

nfz300zx

Hi all, first sorry if this is the wrong forum. but it seams to be the most fitting for my issue.

I have a small supermicro Atom based server and have the following issue.

When the LAN and the WLAN are bridged with a interface assigned to the bridge. this has my Lan Gateway IP.  both the lan and lwan have Internet connectivity etc. however from the wlan i can not connect to my nas on the lan via SSH/HTTP/smb.

Rules on each interface allow everything.  the odd thing is a second wlan on its own subnet works fine and can see everything on the LAN subnet.

Network looks a bit like this

WAN –----<pfsense>----LAN  - NAS - 192.168.1.150
              |                  |       
              |                  |       
              |                  |
              |              <bridge>- 192.168.1.1/24 (gateway IP)
              |                  |
              |                  |
              |                  |
              |            <wlan0>- laptop
              |
              |
          <wlan 1="">- 10.0.0.0/24

The LAN and WLAN0 both get IPs via DHCP and have internet. but I can not connect to the NAS from the laptop</wlan></wlan0></bridge></pfsense>

wallabybob

More "normal" practice would be to have the pfSense LAN interface as the bridge and add sysctls to perform packet filtering on the bridge interface but not its members (net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces and
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface).

Are your access attempts to the NAS reported Blocked in the firewall log (Status -> System Logs, click on Firewall tab)?

nfz300zx

@wallabybob:

More "normal" practice would be to have the pfSense LAN interface as the bridge and add sysctls to perform packet filtering on the bridge interface but not its members (net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces and
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface).

Are your access attempts to the NAS reported Blocked in the firewall log (Status -> System Logs, click on Firewall tab)?

Yes they are, initially they were not though.  I tried the settings you recommended and that solved the issue, but not sure how you would 'pfSense LAN interface as the bridge'  so do you mean I need to set the LAN interface to bridge0 and then set the re1 and ath0_wlan0 interfaces to the bridge?  as at the moment I have lan and re1 setup under bridge. then have lan set to re1, Wireless set to ath0_wlan0 and then a new interface (opt3) set to bridge.  I take it thats incorrect?

Also I think i may have found another issue. If I do not change the sysctl values.  I need to specify the destination IP in the rules from the wireless to the lan. if I just use an allow anything from and to rule it does not work. I have to specifically point the destination part of the rule to the nas IP. seams odd this is the only way to make it work, would have thought a allow anything rule would do the same thing.

wallabybob

@nfz300zx:

not sure how you would 'pfSense LAN interface as the bridge'  so do you mean I need to set the LAN interface to bridge0 and then set the re1 and ath0_wlan0 interfaces to the bridge?  as at the moment I have lan and re1 setup under bridge. then have lan set to re1, Wireless set to ath0_wlan0 and then a new interface (opt3) set to bridge.  I take it thats incorrect?

Not incorrect! That configuration can lead to some misleading reports that might distract you for a while when troubleshooting. Suppose you have DHCP server enabled on LAN. LAN is re1. But re1 is bridged with ath0_wlan0 so DHCP requests received on ath0_wlan0 will be reported as arriving on re1. I would prefer such requests to be reported as arriving on bridge0.

@nfz300zx:

Also I think i may have found another issue. If I do not change the sysctl values.  I need to specify the destination IP in the rules from the wireless to the lan. if I just use an allow anything from and to rule it does not work. I have to specifically point the destination part of the rule to the nas IP. seams odd this is the only way to make it work, would have thought a allow anything rule would do the same thing.

Did you reset firewall states after tweaking the rules? See Diagnostics -> States, click on Reset States tab.

nfz300zx

@wallabybob:

@nfz300zx:

not sure how you would 'pfSense LAN interface as the bridge'  so do you mean I need to set the LAN interface to bridge0 and then set the re1 and ath0_wlan0 interfaces to the bridge?  as at the moment I have lan and re1 setup under bridge. then have lan set to re1, Wireless set to ath0_wlan0 and then a new interface (opt3) set to bridge.  I take it thats incorrect?

Not incorrect! That configuration can lead to some misleading reports that might distract you for a while when troubleshooting. Suppose you have DHCP server enabled on LAN. LAN is re1. But re1 is bridged with ath0_wlan0 so DHCP requests received on ath0_wlan0 will be reported as arriving on re1. I would prefer such requests to be reported as arriving on bridge0.

Ah so the following is correct?

and

and

@wallabybob:

@nfz300zx:

Also I think i may have found another issue. If I do not change the sysctl values.  I need to specify the destination IP in the rules from the wireless to the lan. if I just use an allow anything from and to rule it does not work. I have to specifically point the destination part of the rule to the nas IP. seams odd this is the only way to make it work, would have thought a allow anything rule would do the same thing.

Did you reset firewall states after tweaking the rules? See Diagnostics -> States, click on Reset States tab.

No, I had not done this.

Also another question, I want to setup another unit but want to bridge the Wan and a DMZ port (unit has 3 ports)  do i do the same as above but set WAN to the bridge instead?

stephenw10

That looks correct, or at least that's how I do it!

If you do the same with WAN you may want to leave filtering on the bridge members as otherwise you'll not be able to apply any firewall rules between WAN and DMZ. Or you may want filtering in both places.

Steve

wallabybob

@nfz300zx:

Ah so the following is correct?

That is how I would configure it. I'm not sure correct/incorrect are helpful categories here because they imply there is only one way. Often there is more than one way of doing something but some ways might be "better" in some sense than other ways. For example, it might be "better" to use aliases in firewall rules but not if the aliases mislead other administrators.

@nfz300zx:

Also another question, I want to setup another unit but want to bridge the Wan and a DMZ port (unit has 3 ports)  do i do the same as above but set WAN to the bridge instead?

Again, there probably isn't a "correct" answer. My first response is that I would probably set WAN to the physical port rather than the bridge because, as Steve said, you might want to have different firewall rules on each bridge member (for example, allow everything from DMZ but block at least some things from WAN).

nfz300zx

Thanks for all the feedback guys,  I have to admit I have found about 3 different ways to do things and as you say sometimes one way is better depending on what you want to do.

I have to admit though, this is one very very good product that I simply can not fault.  Well that's not entirely true, some of the documentation is a little vague in places but then again with so much flexibility that's to be expected.