Communication between devices
-
https://www.infotechwerx.com/blog/Creating-a-Simple-pfSense-Bridge
Maybe i have to try around with those two settings, i will report tomorrow.
-
Why the heck do so many unexperienced users bridge interfaces? What are the thoughts when doing so?
Bridging interfaces is not a general purpose replacement for a switch. Never was, never will be.Even your cited site reads: "A good rule of thumb is switch when you can, bridge only if you must."
One of the ports of the quad nic is set up as wan (igb0) and lan is igb0, …
as the Highlander used to say: there can be only one (on igb0 without VLANs).
For the other interfaces better get a $5 switch hocked up to LAN and connect hosts, NAS and WLAN APs there. Way better performance and zero problems with traffic between devices.
-
I have tried to block 192.168.1.2 (nas) to 192.168.1.3 (pihole) but they are still able to talk to each other.
::)
How did you set net.link.bridge.pfil_member and net.link.bridge.pfil_bridge from system tunables?Imagine your bridged interfaces to be a switch (just for now, forget about that in 5 min again!). Traffic between hosts on the same subnet will not hit the router (it is not routed to another network, right?) and therefore cannot be filtered.
Put them on different subnets (that's what multiple interfaces are there for!) and filter between them. But don't expect near line-speed traffic to/from your NAS! -
For the other interfaces better get a $5 switch hocked up to LAN and connect hosts, NAS and WLAN APs there. Way better performance and zero problems with traffic between devices.
But how can i prevent communication from specific devices to each other in a setup like this?
I think with vlans, but how do i tag each device then, when it's all on one port of pfsense?How did you set net.link.bridge.pfil_member and net.link.bridge.pfil_bridge from system tunables?
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1Imagine your bridged interfaces to be a switch (just for now, forget about that in 5 min again!). Traffic between hosts on the same subnet will not hit the router (it is not routed to another network, right?) and therefore cannot be filtered.
Put them on different subnets (that's what multiple interfaces are there for!) and filter between them. But don't expect near line-speed traffic to/from your NAS!So forget the $5 switch for all devices?
Hook up wlan to opt1? And nas to opt2? Wired devices to lan? -
I wrote that walkthrough.
JUST GET A SWITCH!
WHY do you people do this bridging nonsense?
Preventing clients on the same subnet from communicating with each other is called layer 2 isolation.
Most quality APs will have a setting that prevents clients from being able to communicate with each other. This might be called Wireless Client Isolation
Most switches (even cheap ones - but they have to be at least "web smart" "managed" switches) have the ability to create isolated ports. Often called things like private vlan edge or traffic segmentation.
These can often be leveraged so clients can only reach the uplink (router/server) ports and cannot communicate with each other.
![Screen Shot 2018-03-13 at 3.22.13 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-13 at 3.22.13 AM.png)
![Screen Shot 2018-03-13 at 3.22.13 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-13 at 3.22.13 AM.png_thumb)
![Screen Shot 2018-03-13 at 3.25.57 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-13 at 3.25.57 AM.png)
![Screen Shot 2018-03-13 at 3.25.57 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-13 at 3.25.57 AM.png_thumb) -
I think with vlans, but …
Forget about VLANs for now, you would need a managed switch. Get your basic setup working first.
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1And you already know what that means or it's like this just because it's in the tutorial?
So forget the $5 switch for all devices?
No. 5 minutes are over. Get a $5 switch. Forget about the rest.
-
Most quality APs will have a setting that prevents clients from being able to communicate with each other. This might be called Wireless Client Isolation
Most switches (even cheap ones - but they have to be at least "web smart" "managed" switches) have the ability to create isolated ports. Often called things like private vlan edge or traffic segmentation.
Already activated that on my asus router, which is in ap mode.
And my switch is also able to isolate the ports.But for wlan i can only disable it for all devices and not specific ones.
Maybe i want something, that is just not working.And i created the bridge, because i had a quad nic at home, so why not use it..
Forget about VLANs for now, you would need a managed switch. Get your basic setup working first.
I have a switch, which is able to do vlans, but my router is not.
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1And you already know what that means or it's like this just because it's in the tutorial?
Yes, that means, that filtering on my bridge is enabled now and not on the nic ports.
-
Maybe you want something that is just not possible.
Isolation is generally on a per-network, not a per-client basis.
If you want different isolation behavior, put your clients on different networks. Many ways to do this. With real gear you can even put different clients on the same wireless network on different VLANs that have different behavior.
None of this has anything to do with your layer 3 firewall (pfSense).
-
Here are my results:
- Resetting to default
- Configured WAN and LAN in shell
- WAN as dhcp and LAN as static ipv4 with dhcp server (192.168.2.1/24)
- Created new interface WLAN, same settings as LAN (192.168.3.1/24)
- Created new interface for the nas, only static ipv4, no dhcp server (192.168.1.1/24)
- Created rule on LAN, WLAN and NAS interface to allow traffic to any (just WAN didn't work)
- Created another rule under LAN to block access to WLAN and NAS
- Created another rule under WLAN to block access to LAN and NAS
- Created another rule under NAs to block access to LAN and WLAN
- Created rules for the specific devices to talk to each other on the ports i want (445 for smb e.g.)
- Blocked communication between the wlan devices on the router
- Blocked communication between the lan devices with my switch
No bridge, no nothing, it's now working as i wanted.
Only issue i had was with port forwarding, but i had to change the firewall from auto to hybrid under Outbound. -
- Created new interface WLAN, same settings as LAN (192.168.3.1/24)
- Created new interface for the nas, only static ipv4, no dhcp server (192.168.1.1/24)
Just for optical reasons : why not keeping LAN as default = 192.168.1.1/24 - this segment only hosts trusted devices - its ok as it is - no settings needed.
"NAS" as 192.168.2.1/24 - just a question : your NAS is not-trusted ? (like it's a NAS but also a web server …)
"WLAN" as 192.168.3.1/24 - here are the scary devices.and, for example, your WAN as 10.0.0.0/24 (just inform the upstream router, its DHCP server, to do so).
- Created rule on LAN, WLAN and NAS interface to allow traffic to any (just WAN didn't work)
You wanted to check if we were still awake, right ?
If not => ;D -
No bridge, no nothing, it's now working as i wanted.
Great, isn't it? Without any strange fiddling just straight work.
I appreciate you followed this forum's advise and that you posted back! -
"Only issue i had was with port forwarding, but i had to change the firewall from auto to hybrid under Outbound."
Huh?? what out outbound nat have to do with port forwarding? Only reason you would have to switch out hybrid is if you were using a vpn or something?