Use SG-5100 OPT ports as LAN switch
-
New to pfsense and just setting up SG-5100 for the first time. While I have a managed switch in a different part of the building that is working well, I need to use some of the OPT ports on the SG-5100 to connect some local devices and APs to my primary network (so, not a VLAN). How do I configure this?
Additional question: while I'm working through the pfsense book and other documentation, what is a good source of more foundational knowledge on networking? I would like to learn more so I have context for the choices I'm making.
-
Yep, it's called "Bridging", and you can do it with 2 or more interfaces. Keep in mind, it is not ideal to do this, and would be better to just use physical switches instead. All traffic on a pfsense bridge has to be processed by the firewall, so that's why it's more efficient to use a switch, specifically built for this task.
You can find this under Interfaces -> Assignments -> Bridges. Add any interfaces that you need.
https://docs.netgate.com/pfsense/en/latest/book/bridging/creating-a-bridge.html
Jeff
-
@akuma1x thanks Jeff, appreciate the quick response.
I must admit, I'm puzzled that this is a software burden: the reason I chose the 5100 over the 3100 was the Choosing the Right Netgate Appliance page, which indicated that the independent Ethernet connections would be optimal for provisioning for WAN or LAN purposes.
-
Just use a switch.. You can pick up a 8 port gig switch smart (vlans) for like $40..
-
@pf_novice Then go ahead and do it. The 5100 has enough umpf to make and use the bridged interfaces. It will most likely run just fine. Won't hurt to try it. It's simply frowned upon here in the forum, since switching hardware is relatively inexpensive.
Here's specific step-by step instructions for creating the bridge:
https://eengstrom.github.io/musings/configure-pfsense-bridge-over-multiple-nics-as-lanJeff
-
Yes you certainly can bridge additional ports to the LAN if required. If they will only be used occasionally or for low bandwidth applications you probably won't see any issues.
If you need or expect to use the full Gigabit bandwidth continually you should just use a switch. Otherwise you will be putting a large additional load on the firewall that need not be there.Steve
-
I never understand why people get some firewall with X number of interfaces in it, if all they want is to put them all in the same network.. The 5100 has same number of interfaces as my 4860.. And to be honest I wish had couple of more interfaces.. Not switch ports - but actual interfaces, so could split different vlans on to their own interfaces. Vs having to share single interface for some of them.
Switch ports are cheap.. Discrete interfaces not so much.. If you just need a switch port, use a switch..
-
Yup I agree with that.
However if you have spare interfaces in a system and have the spare CPU cycles to do it then bridging them in to give local access to some device is not really an issue. Usually.
Steve
-
Until such time that you want to use it as actual interface and you used as a switch port.. And now have to take bunch of shit down and redo stuff because too lazy or cheap to just get switch ports when you needed them..
Because on my gosh - that interface is sitting there doing nothing ;)
I'll just hammer this nail in with the back end of my screwdriver because to lazy to go pick up the hammer 2 feet a way.. The proper tool for the job I say - a router interface is not a switch port ;)
-
@johnpoz I understand... in my case because of the cabling layout I only have 2 Ethernet cables to trunk to the main switch location, so there are two 'spare' ports that I can use for a local AP and backup device.
This lets me clean up my board and avoid yet another device and power supply.
TBH this is 50% a learning exercise - just constructing the bridge has been an education, so it's all good. The next task is to stand up my LTE failover, which will be fun, and then try to figure out how many firewall rules I need to make everything work.
Thanks @akuma1x, @johnpoz and @stephenw10 for the insights.
