[solved] Assign dynamic IP (DHCP) to client connected to bridge



  • Hi all,

    I'm running an APU2C4 (pfSense 2.3.1 / WAN0, LAN0, LAN1) behind a VDSL modem.
    My provider delivers IPTV multicast traffic on VLAN8. igmpproxy does not support IGMPv3/SSM on the downstream which is essential in my case. I read on the German forum someone managed to create a bridge between a physical interface and VLAN8 instead. That's what I'm trying desperately right now. The settopbox (@LAN1) expects to get an IP assigned by a DHCP server - that's failing right now.

    My current setup:

    • DHCP server running on BR0_IPTV

    Interfaces:

    • WAN0_VDSL (VLAN7)              -> PPPoE
    • WAN0_IPTV (VLAN8)              -> DHCP (Class A private)
    • LAN0                                      -> STATIC (Class A private)
    • LAN1                                      -> NONE
    • BR0_IPTV (WAN0_IPTV, LAN1) -> STATIC (Class B private/30)

    System Tunables:

    • net.link.bridge.pfil_member = 1
    • net.link.bridge.pfil_bridge = 0

    Firewall rules:

    • Currently none, tried so many.

    I had it running last night (DHCP and working streams) until I decided to "optimize" the firewall rules. IIRC these were (do not work currently):

    LAN1:
    (*) IPV4 * BR0_IPTV net * * * * none

    WAN0_IPTV:
    (*) IPV4 * * * * * * none
    IPV4 IGMP * * * * * none
    IPV4 UDP * * * * * none

    BR0_IPTV:
    (*) IPV4 * BR0_IPTV net * * * * none

    What am I missing here?

    Cheers



  • Ok folks, I've got it up and running!

    The main pitfalls were basically two things:

    1. Not being aware of the fact that "sysctls are only read when the bridge interface is created, at boot or otherwise". That was quite a PITA since I created bridges and afterwards changed the relevant system tunables, deleted them and so on. Thats why my firewall rules never worked as expected. In order to avoid further collateral damage simply reboot after changing any system tunables.

    Rule of thumb: "One does not simply setup a bridge without setting up system tunables beforehand!"

    2. The settopbox didn't get an IP assigned by the DHCP server since relevant requests were blocked on the LAN1 interface. Fixed by a single rule:

    
    IPv4 UDP 	LAN1 net 	68 	255.255.255.255 	67 	* 	none
    
    

    As an exercise for myself I repeat the steps below.

    Step 1: System Tunables

    • net.link.bridge.pfil_member = 1 (default)
    • net.link.bridge.pfil_bridge = 0 (default)

    Step 2: Setup interfaces

    • WAN0_VDSL (VLAN7)              -> PPPoE
    • WAN0_IPTV (VLAN8)              -> DHCP (Class A private)
    • LAN0                                      -> STATIC (Class A private)
    • LAN1                                      -> NONE
    • BR0_IPTV (LAN1, WAN0_IPTV) -> STATIC (Class B private/30)

    Step 3: Setup DHCP server

    • DHCP server running on BR0_IPTV

    Step 4: Setup firewall rules
    Important: All IGMP rules need "Allow IP options" to be enabled!

    • LAN1
    
    IPv4 UDP 	LAN1 net 	68 	255.255.255.255 	67       * 	none 	  	@Allow DHCP requests to pass
    IPv4 IGMP 	* 	        * 	224.0.0.0/4 	        *        * 	none 	  	@Allow multicast traffic to pass
    IPv4 UDP 	* 	        * 	239.255.255.250 	1900     * 	none 	  	@Allow SSDP requests to pass 
    
    
    • WAN0_IPTV
    
    IPv4 IGMP 	WAN0_IPTV net 	* 	224.0.0.0/4 	         *       * 	none 	  	@Allow multicast traffic to pass
    IPv4 UDP 	87.141.215.251 	4000 	* 	                 10000 	 * 	none 	  	@Allow to "form" RTP streams
    
    
    • BR0_IPTV
    
    IPv4 TCP/UDP 	BR0_IPTV net 	* 	* 	                  * 	* 	none 	  	@Allow any TCP/UDP requests to pass
    
    

    So long












  • Btw. since I'm really new to pfSense I do welcome any input and improvements in regards to my rules and configurations.


Log in to reply