Bridging VLANs and Physical interfaces
-
Hi,
I'm looking to take the plunge with pfsense and move away from my CPE that my ISP provides.
The reasoning is that with the advent of untrusted devices in my home (IoT) I need to segment my network and my CPE just isn't going to be able to do this. I would also like to have a go at single-stack IPv6 and so will need extra segments for that.
My idea was to use multiple 802.1Q VLANs attached to various ports on the device that I would use for my router: http://www.fit-pc.com/web/products/fitlet/fitlet-x/.
I would then bridge together matching VLAN interfaces (e.g. igb1_vlan1234 and igb2_vlan1234) and one of more of the physical interfaces. The bridge interfaces would then be the only interfaces to have IPv4/IPv6 addresses and be routed through. Necessarily the firewall rules would be active on only the bridge interfaces as well.
If you're familiar with certain Cisco routers, this is very much like routing through a BVI.
One of the reasons I think I need to do it like this is to support my Ubiquiti wireless AP since it's managed on an untagged 802.1Q interface, but can tag the various wireless networks it will be configured with which I would like to bridge with certain wired networks. Another is that I will have hypervisors managed over their untagged ports but running guests attached tagged interfaces.
I'm not really interested in buying a managed switch or anything to put in front of the pfsense box and simply trunking VLANs to a single port, pfsense basically needs to handle bridging of physical interfaces with VLAN interfaces. Do you think this is possible with the current state of things?
Is there another way I can approach this?
Many thanks
-
What is the fascination with bridges.. Like can not go a day without someone bringing them up.
I am with you in creating network segments for your home/place of work and firewalling between them, and for sure to isolate stuff like iot devices and your wifi.
But to be honest what does that have to do with bridging?? If you need ports then get a switch, if you want to have multiple segments then your going to either need multiple dumb switches to do the isolation with or a switch that does vlans. A smart switch that does vlans can be had for really cheap these days. You don't need an enterprise fully managed cisco with layer 3 stack on it to do vlans.
-
(e.g. igb1_vlan1234 and igb2_vlan1234)
AFAIK you can have vlan1234 on exactly one physical interface with pfSense.
"Distribution" has to be done by an external (managed) switch. -
I believe it will allow that. No reason a VLAN tag can't be the same on two different interfaces.
Personally I would get a switch and let the switch switch the frames like they're designed to switching do.
-
I believe it will allow that.
Then it will allow that now. It wasn't possible to set the same vlan ID twice no matter which interface.
-
Ok, I'm a little surprised by the responses.
I don't really need extra ports, the device I have for pfsense has 3 spare ports apart from the wan port and I have 3 devices (an AP and 2 hypervisors, all with a single port). I would also like to avoid the extra cost and hassle of management. Plus it's a good learning exercise.
Coming from a Cisco 800 series background (and after having read around elsewhere) I'm a little surprised that there doesn't seem to be a kind of ready-baked solution to this for pfsense similar to the Cisco BVIs.
Unless anyone can report some success with another method?
-
Ok, I'm a little surprised by the responses.
I was not, saw this coming just by reading the subject ;D
pfSense is a great firewall. Even while it has bridging capabilities, I'm not sure one should call it a great switch.
For the dump prices one can get a small GE manageble switch, most people take that route. And if you're familiar with cisco, setting up those vlans should really be no hassle.I'm a little surprised that there doesn't seem to be a kind of ready-baked solution to this for pfsense similar to the Cisco BVIs.
Well, there's your chance to do a great contribution. Go for it, and write up something once done ;)
-
Do you think this {^} is possible with the current state of things?
Just tried to create multiple VLANs with the same ID on different physical IFs and it seems to work.
How do you want to proceed from here? Bridge those two interfaces?
Every packet from igb1_vlan1234 to igb2_vlan1234 (your bridge) would have to be processed by the kernel then.
Line speed switching for traffic on the same VLAN? Surely not.Is there another way I can approach this?
As already mentioned a managed switch is probably straight forward and less of a bottleneck.
-
How do you want to proceed from here? Bridge those two interfaces?
Yep
@jahonix:Every packet from igb1_vlan1234 to igb2_vlan1234 (your bridge) would have to be processed by the kernel then.
Line speed switching for traffic on the same VLAN? Surely not.You make a good point, hadn't thought of that. Time to go shopping…
I suppose then that this is why I can really see no information on this elsewhere, it's just not a thing to be seriously considered on non-specialized hardware at the moment.
-
Hi,
Because in my home pfsense have 4 LAN interfaces, I wanted to have all CISCO AP on the same physical interface LAN trunk configured with 2 VLANs for Private-Guests wifi.
First I configured 2 interfaces on /25 range but I don't like to have IP changed from one segment to another one when AP is changed.
Then I was thinking to bridge the interfaces but is no point to add this load to pfsense, I did not have a managed switch at home, so I made an experiment:
I used a dumb switch to connect all AP CISCO configured with 2 VLANs and the LAN trunk interface with the same VLANs of pfsense.
Result SUCCESS !
- everything work perfect, looks like I don't need a managed VLAN switch just to pass/carry trunk traffic to all ports of the switch;
I tested:
- 1GB switch DLINK GO-SW-5
and - 100Mb TP-LINK TL-SF1005D,
both work OK to carry trunk traffic.