Split DHCP ranges on Bridge?

Chrisnz

APU1D4, pfSense 2.4.5-RELEASE-p1 (amd64)

Not sure if 'split' is the correct terminology here but this is what I have and want to achieve:

• I'd like 2 subnets for LAN (192.168.1.0) and WiFi (192.168.3.0) devices

• Devices in both networks should see each other

• I bridged the 2 interfaces LAN (re2) and the WiFi AP (re0)

• I activated DHCP for the BRIDGE0 (192.168.1.1) and WiFi AP (192.168.3.1), the LAN interface is not visible in the DHCP server

What I get is, each device gets 2 addresses assigned, one in the 192.168.3.0 range and the other one in the 192.168.1.0 range.
I can see why but I'm sure I had it running properly before (without using the DCHP server from the external Wifi AP).
I had to install pfSense from scratch and can't remember how I did it...
Is it just a firewall rule blocking DHCP requests between subnets?

johnpoz

How would devices on 192.168.1 see devices on 192.168.3?

The devices can talk to each other just fine, but Layer 2 discovery not going to work if that is what your asking. Ie like network browsing for example.

Why would you bridge anything.. Just create your 2 networks.. And then setup your firewall rules to allow the traffic you want between the 2 networks.

Chrisnz

Not sure if I can follow. From my, admittingly basic network experience and understanding, 2 different subnets don't talk to each other unless you bridge them.

JKnott

@Chrisnz said in Split DHCP ranges on Bridge?:

I bridged the 2 interfaces LAN (re2) and the WiFi AP (re0)

Bad idea. You're putting both interfaces on the same LAN, which is what's causing double addresses, though I don't understand how a device running DHCP can get addresses from both. Are you certain each device actually get 2 addresses? Or do some devices get an address from one subnet and others from the 2nd?

If you want the various devices to see each other then you put them all on the same subnet and use only 1 interface on pfSense.

2 different subnets don't talk to each other unless you bridge them

No, pfSense can route the traffic between the 2 networks. For example, I have my main LAN and a test LAN here. PfSense has no problem routing between them.

johnpoz

@Chrisnz said in Split DHCP ranges on Bridge?:

2 different subnets don't talk to each other unless you bridge them.

No idea where you got that completely utterly wrong information from mate.. How would the internet work? ;) Do you think its 1 big bridged network ;)

As jknott stated - just route between them..

Chrisnz

My more in depth network studies are far behind me ;-) I usually only deal with my home network, maybe a bit more than the average user but once it's running I don't need to touch it for years... I just saw parts of the old setup and remembered I followed a pfSense tutorial back then where the solution was a bridge...and it worked fine for 5 years so that's why I started there again...

Anyway, I ditched the bridge and I'm just trying to work out firewall rules at the moment. Most is running but a few things are not but I probably open a separate thread for it.

Thanks for your time guys.

johnpoz

@Chrisnz said in Split DHCP ranges on Bridge?:

I followed a pfSense tutorial back then where the solution was a bridge

Not sure what that could of been for - and sure didn't say to use different IP space.. I have been using pfsense pretty much since it came out.. And I have never seen any thing were the solution was "bridge"... It is always a hack or a work around, never an actual solution to anything.

Don't get me wrong there times were you can use it to accomplish something.. But its normally when you have to change media connection types.. But you wouldn't do it on pfsense if you could help it.. If you need to switch from fiber to eithernet you should do that on your switch.. When you "bridge" wifi to either net - that should really be done via an access point designed to do that. Not on your L3 router/firewall hardware.

If you were running pfsense on some VM host, ok you would bridge the virtual interface to the physical interface - that sort of thing..

Chrisnz

The bridge tutorial was on one of the administrator forums (not pfSense forum), can't remember which one back then.

Maybe you can help me with one more thing on my routed network. As far as I understand pfSense automatically routes between the subnets if the interfaces are part of the pfSense machine - which they are in my case, correct? Just firewall rules need to be created to allow traffic. All works fine so far.
There's just one other thing I'd like to achieve. From the WLAN net I only want certain IPs to allow traffic to all LAN devices.
E.g. allow my own Wifi devices (DHCP static address with MAC) access all LAN devices and lets say guests users only use WAN/internet access.

I did that in the past by creating an Alias with the IP addresses and a firewall rule but I don't seem to get it working, maybe because pfSense's routing? Am I on the wrong path here to achieve that?

JKnott

@Chrisnz said in Split DHCP ranges on Bridge?:

E.g. allow my own Wifi devices (DHCP static address with MAC) access all LAN devices and lets say guests users only use WAN/internet access.

You could certainly filter on IP addresses, but if you have guests, the general way is to use a 2nd SSID & VLAN which allows access only to the Internet.

johnpoz

@Chrisnz said in Split DHCP ranges on Bridge?:

pfSense automatically routes between the subnets if the interfaces are part of the pfSense machine

That is not just pfsense, that is any router or any device at all to be honest... Why would you have tell a device how to talk to a network that its attached to.. The act of attaching it tells it how to talk to that network.. Just blows my mind how often this comes up..

If you have devices you want to filter, yes as jknott mentions it would be better to put them on their own vlan... This way you don't have to worry about assigning specific IPs just so you can filter them. From a security point of view, while I hand out IP address xyz to you, doesn't mean you could use IP address abc instead and now that firewall rule wouldn't block you. Or might not block you, etc. Depending exactly.. So its better to segment devices that will have the same restrictions or allowances to the same vlan. So you really don't have to worry about specifics like that.

But sure if you don't want IP 1.2.3.4 from going somewhere, just block it via a firewall rule.

What AP do you have, what switching - do you have the ability to do vlans on your network... That would be the more secure method of limiting something. Example I put all my iot devices on their own vlan.. This vlan can not talk to any other of my local networks. Except for stuff that I want to allow.. Its always best to block and make exceptions for allow, vs allow all and block specifics.

So from this other vlan would normally block everyone from talking to lan, and only allow specific IPs to talk to specific IPs on the lan, and only the services it needs on those specific IPs in the lan.