[solved] Assign dynamic IP (DHCP) to client connected to bridge
-
Hi all,
I'm running an APU2C4 (pfSense 2.3.1 / WAN0, LAN0, LAN1) behind a VDSL modem.
My provider delivers IPTV multicast traffic on VLAN8. igmpproxy does not support IGMPv3/SSM on the downstream which is essential in my case. I read on the German forum someone managed to create a bridge between a physical interface and VLAN8 instead. That's what I'm trying desperately right now. The settopbox (@LAN1) expects to get an IP assigned by a DHCP server - that's failing right now.My current setup:
- DHCP server running on BR0_IPTV
Interfaces:
- WAN0_VDSL (VLAN7) -> PPPoE
- WAN0_IPTV (VLAN8) -> DHCP (Class A private)
- LAN0 -> STATIC (Class A private)
- LAN1 -> NONE
- BR0_IPTV (WAN0_IPTV, LAN1) -> STATIC (Class B private/30)
System Tunables:
- net.link.bridge.pfil_member = 1
- net.link.bridge.pfil_bridge = 0
Firewall rules:
- Currently none, tried so many.
I had it running last night (DHCP and working streams) until I decided to "optimize" the firewall rules. IIRC these were (do not work currently):
LAN1:
(*) IPV4 * BR0_IPTV net * * * * noneWAN0_IPTV:
(*) IPV4 * * * * * * none
IPV4 IGMP * * * * * none
IPV4 UDP * * * * * noneBR0_IPTV:
(*) IPV4 * BR0_IPTV net * * * * noneWhat am I missing here?
Cheers
-
Ok folks, I've got it up and running!
The main pitfalls were basically two things:
1. Not being aware of the fact that "sysctls are only read when the bridge interface is created, at boot or otherwise". That was quite a PITA since I created bridges and afterwards changed the relevant system tunables, deleted them and so on. Thats why my firewall rules never worked as expected. In order to avoid further collateral damage simply reboot after changing any system tunables.
Rule of thumb: "One does not simply setup a bridge without setting up system tunables beforehand!"
2. The settopbox didn't get an IP assigned by the DHCP server since relevant requests were blocked on the LAN1 interface. Fixed by a single rule:
IPv4 UDP LAN1 net 68 255.255.255.255 67 * none
As an exercise for myself I repeat the steps below.
Step 1: System Tunables
- net.link.bridge.pfil_member = 1 (default)
- net.link.bridge.pfil_bridge = 0 (default)
Step 2: Setup interfaces
- WAN0_VDSL (VLAN7) -> PPPoE
- WAN0_IPTV (VLAN8) -> DHCP (Class A private)
- LAN0 -> STATIC (Class A private)
- LAN1 -> NONE
- BR0_IPTV (LAN1, WAN0_IPTV) -> STATIC (Class B private/30)
Step 3: Setup DHCP server
- DHCP server running on BR0_IPTV
Step 4: Setup firewall rules
Important: All IGMP rules need "Allow IP options" to be enabled!- LAN1
IPv4 UDP LAN1 net 68 255.255.255.255 67 * none @Allow DHCP requests to pass IPv4 IGMP * * 224.0.0.0/4 * * none @Allow multicast traffic to pass IPv4 UDP * * 239.255.255.250 1900 * none @Allow SSDP requests to pass
- WAN0_IPTV
IPv4 IGMP WAN0_IPTV net * 224.0.0.0/4 * * none @Allow multicast traffic to pass IPv4 UDP 87.141.215.251 4000 * 10000 * none @Allow to "form" RTP streams
- BR0_IPTV
IPv4 TCP/UDP BR0_IPTV net * * * * none @Allow any TCP/UDP requests to pass
So long
-
Btw. since I'm really new to pfSense I do welcome any input and improvements in regards to my rules and configurations.