External document about bridging.
-
Somehow this seems wrong! :o
https://www.all4os.com/router/bridge-multiple-lan-portsnics-to-act-like-a-router-in-pfsense-2-1.html
Comments? ;D
-
You are correct, of course. That post is nonsense. Bridged interfaces are NOT a replacement for a switch.
…and I thought what's written on the internet is always right. Not? 8)
-
Just because you can does not mean you should.
Waste of perfectly good router ports.
http://www.amazon.com/D-Link-5-Port-Unmanaged-Gigabit-Switch/dp/B008PC1FYK/
US$14.33
Do that instead.
-
Just because you can does not mean you should.
Waste of perfectly good router ports.
http://www.amazon.com/D-Link-5-Port-Unmanaged-Gigabit-Switch/dp/B008PC1FYK/
US$14.33
Do that instead.
Posting for someone else that doesn't believe me. Thanks for the input! :)
-
Well, don't want to hijack this thread or give it a different spin … I'd prefer these switches just because they have a built-in PSU and no wall-wart
http://www.amazon.com/dp/B0033GFH2E/
The price on this offer is, of course, ridiculously high."...and now back to you guys!"
-
I realize this is an older thread, but I'm curious WHY this is a bad idea? I see all over that everyone says bridging is horrible… don't do bridging. Bridging will cause the famine and disease!
Why?
I use bridging to link two vlans together, but filter one vlan from accessing certain specific machines on the other.
I posted about that a few weeks ago, and someone spent considerable time telling me how horrible of an idea it was, that I was causing young children around the world to die in agony, and asking why I'd want to do such a horrible thing. I reiterated that it was so I could filter between the vlan's, but still allow the vlans to be on the same subnet (so broadcasts would work between machines.) They never responded again.
I can't do that kind of filtering with a L2 managed switch... So is it really so horrible?
I only found two articles on doc.pfsense.org related to bridging:
https://doc.pfsense.org/index.php/Interface_Bridges
https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_usedThe second one suggests that bridging can be problematic (but doesn't explain why), and then goes on to suggest "filtering between portions of a single subnet" as a reason to use a bridge.
Thanks
Gary -
… "filtering between portions of a single subnet" as a reason to use a bridge.
That's probably one of the few reasons where bridging can be useful.
Using a bridge instead of a switch is not a useful scenario.
-
That's probably one of the few reasons where bridging can be useful.
Using a bridge instead of a switch is not a useful scenario.
That's good to know… but I'm very serious in asking why it's a bad thing in other situations? Does it cause some kind of corruption or slowdowns? Is it just "bad practice"?
Is it just that a hardware purpose built switch is going to be significantly faster in.. switching.. than a software bridge?
-
I think your talking about me - and I didn't freaking attack you..
"that I was causing young children around the world to die in agony"WTF dude??
"I reiterated that it was so I could filter between the vlan's"
You mean filter between devices on the same layer 2, ie same vlan.. Then yes that is a valid point.. But sorry you said that no where in this thread
https://forum.pfsense.org/index.php?topic=116109.0But I cleary did in my first post
here is no reason to bridge unless yes you want to do broadcasting for some reason and still want to be able to control access between devices on each side of the bridge.
After I asked you why you wanted to bridge.. You come back with a diatribe of nonsense
"Finally, set up a bridge (br0?) in pfSense that bridges vlanSystem and vlanNormal."
You do not bridge different networks…. You bridge between media types that you want on the same L2 network.. Like wifi to wired.. Or say fiber interface to an ethernet interface where the same layer 2 is on the other side of that fiber that connects somewhere else, etc. Ie an extended vlan, you don't bridge 2 different vlans together..
-
I'm glad to see that my personal troll has caught up to me in this thread, too. Hi!
I think your talking about me - and I didn't freaking attack you..
"that I was causing young children around the world to die in agony"You don't understand sarcasm, do you?
You mean filter between devices on the same layer 2, ie same vlan.. Then yes that is a valid point.. But sorry you said that no where in this thread
https://forum.pfsense.org/index.php?topic=116109.0I didn't? First post in that thread:
Finally, set up a bridge (br0?) in pfSense that bridges vlanSystem and vlanNormal. This is where I'm not sure what I'm talking about. ;) I think, based on what I've read, I can create a bridge between vlanSystem and vlanNormal, and they'd end up being on the same interface (and subnet), but firewall rules are applied to the source interfaces (vlanSystem/vlanNormal) before any packets can cross the bridge. If so, I'd create rules in the firewall DENYing traffic between vlanGuest and vlanSystem. This would be… 192.168.200.0
…and in my next post in the thread:
Any "untrusted guest" needs to be able to "talk" to "trusted human" machines, but NOT to "system" machines. (in fact, they should be on the same subnet. My kids are serious minecraft fans, and minecraft clients find each other with network broadcasts.)
..and the best part is… I still have no idea why bridging is frowned upon.
-
Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.
You seem to have a genuine use case where it might make sense. As is a transparent proxy, etc.
"Make my four router ports a switch" is not such a valid use case.
Even your use case would probably be better handled by a switch that supports ACLs. Certainly if performance between "switch" ports is a concern.
-
Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.
Okay, so it's a mostly a network performance issue. That helps me to understand the "why" and I appreciate that you've taken the time to respond. I'd imagine that it also has some minor negative impact on the the router itself (if the router has a load.)
-
Because forwarding of packets is handled in software instead of hardware/ASICs, like in a switch.
Okay, so it's a mostly a network performance issue. That helps me to understand the "why" and I appreciate that you've taken the time to respond. I'd imagine that it also has some minor negative impact on the the router itself (if the router has a load.)
I gave you the same answer last week on the other forum. Anyway… ::)
Similar to your "What is wrong with bridging?" question, I would ask you "What is wrong with routing?"
-
I gave you the same answer last week on the other forum. Anyway… ::)
Oh, I thought you were referring to something else over there. You had mentioned ipfw and MAC based filtering causing multiple passes through the stack, and that confused me. So, are you saying that enabling bridging causes ipfw rules to be created and all traffic getting passed through ipfw AND pf even if there's only L3 rules involved?
If so, that'd be a bit more overhead than I thought!
Similar to your "What is wrong with bridging?" question, I would ask you "What is wrong with routing?"
In a general sense, or in the specific case I referenced?
For my specific, the issue with routing is that IPv4 network broadcasts aren't routed.
