Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External document about bridging.

    Scheduled Pinned Locked Moved Documentation
    14 Posts 6 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC
      chpalmer
      last edited by

      @Derelict:

      Just because you can does not mean you should.

      Waste of perfectly good router ports.

      http://www.amazon.com/D-Link-5-Port-Unmanaged-Gigabit-Switch/dp/B008PC1FYK/

      US$14.33

      Do that instead.

      Posting for someone else that doesn't believe me.  Thanks for the input!  :)

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        Well, don't want to hijack this thread or give it a different spin … I'd prefer these switches just because they have a built-in PSU and no wall-wart
        http://www.amazon.com/dp/B0033GFH2E/
        The price on this offer is, of course, ridiculously high.

        "...and now back to you guys!"

        1 Reply Last reply Reply Quote 0
        • G
          garyd9
          last edited by

          I realize this is an older thread, but I'm curious WHY this is a bad idea?  I see all over that everyone says bridging is horrible… don't do bridging.  Bridging will cause the famine and disease!

          Why?

          I use bridging to link two vlans together, but filter one vlan from accessing certain specific machines on the other.

          I posted about that a few weeks ago, and someone spent considerable time telling me how horrible of an idea it was, that I was causing young children around the world to die in agony, and asking why I'd want to do such a horrible thing.  I reiterated that it was so I could filter between the vlan's, but still allow the vlans to be on the same subnet (so broadcasts would work between machines.) They never responded again.

          I can't do that kind of filtering with a L2 managed switch...  So is it really so horrible?

          I only found two articles on doc.pfsense.org related to bridging:

          https://doc.pfsense.org/index.php/Interface_Bridges
          https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used

          The second one suggests that bridging can be problematic (but doesn't explain why), and then goes on to suggest "filtering between portions of a single subnet" as a reason to use a bridge.

          Thanks
          Gary

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            @garyd9:

            … "filtering between portions of a single subnet" as a reason to use a bridge.

            That's probably one of the few reasons where bridging can be useful.

            Using a bridge instead of a switch is not a useful scenario.

            1 Reply Last reply Reply Quote 0
            • G
              garyd9
              last edited by

              @jahonix:

              That's probably one of the few reasons where bridging can be useful.

              Using a bridge instead of a switch is not a useful scenario.

              That's good to know…  but I'm very serious in asking why it's a bad thing in other situations?  Does it cause some kind of corruption or slowdowns?  Is it just "bad practice"?

              Is it just that a hardware purpose built switch is going to be significantly faster in.. switching.. than a software bridge?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I think your talking about me - and I didn't freaking attack you..
                "that I was causing young children around the world to die in agony"

                WTF dude??

                "I reiterated that it was so I could filter between the vlan's"

                You mean filter between devices on the same layer 2, ie same vlan..  Then yes that is a valid point.. But sorry you said that no where in this thread
                https://forum.pfsense.org/index.php?topic=116109.0

                But I cleary did in my first post

                here is no reason to bridge unless yes you want to do broadcasting for some reason and still want to be able to control access between devices on each side of the bridge.

                After I asked you why you wanted to bridge.. You come back with a diatribe of nonsense

                "Finally, set up a bridge (br0?) in pfSense that bridges vlanSystem and vlanNormal."

                You do not bridge different networks…. You bridge between media types that you want on the same L2 network.. Like wifi to wired.. Or say fiber interface to an ethernet interface where the same layer 2 is on the other side of that fiber that connects somewhere else, etc.  Ie an extended vlan, you don't bridge 2 different vlans together..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • G
                  garyd9
                  last edited by

                  I'm glad to see that my personal troll has caught up to me in this thread, too.  Hi!

                  @johnpoz:

                  I think your talking about me - and I didn't freaking attack you..
                  "that I was causing young children around the world to die in agony"

                  You don't understand sarcasm, do you?

                  You mean filter between devices on the same layer 2, ie same vlan..  Then yes that is a valid point.. But sorry you said that no where in this thread
                  https://forum.pfsense.org/index.php?topic=116109.0

                  I didn't?  First post in that thread:

                  Finally, set up a bridge (br0?) in pfSense that bridges vlanSystem and vlanNormal.  This is where I'm not sure what I'm talking about. ;)  I think, based on what I've read, I can create a bridge between vlanSystem and vlanNormal, and they'd end up being on the same interface (and subnet), but firewall rules are applied to the source interfaces (vlanSystem/vlanNormal) before any packets can cross the bridge.  If so, I'd create rules in the firewall DENYing traffic between vlanGuest and vlanSystem.  This would be… 192.168.200.0

                  …and in my next post in the thread:

                  Any "untrusted guest" needs to be able to "talk" to "trusted human" machines, but NOT to "system" machines.  (in fact, they should be on the same subnet.  My kids are serious minecraft fans, and minecraft clients find each other with network broadcasts.)

                  ..and the best part is… I still have no idea why bridging is frowned upon.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.

                    You seem to have a genuine use case where it might make sense. As is a transparent proxy, etc.

                    "Make my four router ports a switch" is not such a valid use case.

                    Even your use case would probably be better handled by a switch that supports ACLs. Certainly if performance between "switch" ports is a concern.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • G
                      garyd9
                      last edited by

                      @Derelict:

                      Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.

                      Okay, so it's a mostly a network performance issue.  That helps me to understand the "why" and I appreciate that you've taken the time to respond.  I'd imagine that it also has some minor negative impact on the the router itself (if the router has a load.)

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nullity
                        last edited by

                        @garyd9:

                        @Derelict:

                        Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.

                        Okay, so it's a mostly a network performance issue.  That helps me to understand the "why" and I appreciate that you've taken the time to respond.  I'd imagine that it also has some minor negative impact on the the router itself (if the router has a load.)

                        I gave you the same answer last week on the other forum. Anyway… ::)

                        Similar to your "What is wrong with bridging?" question, I would ask you "What is wrong with routing?"

                        Please correct any obvious misinformation in my posts.
                        -Not a professional; an arrogant ignoramous.

                        1 Reply Last reply Reply Quote 0
                        • G
                          garyd9
                          last edited by

                          @Nullity:

                          I gave you the same answer last week on the other forum. Anyway… ::)

                          Oh, I thought you were referring to something else over there.  You had mentioned ipfw and MAC based filtering causing multiple passes through the stack, and that confused me.  So, are you saying that enabling bridging causes ipfw rules to be created and all traffic getting passed through ipfw AND pf even if there's only L3 rules involved?

                          If so, that'd be a bit more overhead than I thought!

                          @Nullity:

                          Similar to your "What is wrong with bridging?" question, I would ask you "What is wrong with routing?"

                          In a general sense, or in the specific case I referenced?

                          For my specific, the issue with routing is that IPv4 network broadcasts aren't routed.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.