Bridge Issues on SG-8860 1U
-
So, I have migrated our corporate firewall from a Watchguard Unit to a SG-8660 and everything went fairly smoothly, however I am having awful toruble setting up a bridge.
I have LAN (igb0) and LAN1 (igb2).
The settings on igb0 are a static ipv4 configuration, with the pfsense box on 192.168.155.254
The settings on igb1 are, Enable interface and then None for everything else.
On interfaces > Assign, I have setup bridge0 on LAN and LAN1.
Both LAN and LAN1 have switches connected to them, the devices connected to the switch on LAN work perfectly.
The switch connected to LAN1 does not seem to work correctly, devices receive their correct DHCP reservation, but they cannot ping hosts on the other switch, and hosts on the other switch cannot ping hosts on LAN1.
Other than assigning the bridge, what other rules do I need to add to allow communication of devices connected to different switches on the same subnet?
-
That depends on where you want the governing firewall rules.
MY first question why you are using a bridge for this in the first place. Connect a decent switch to LAN and connect switches to the various locations to that. If it's multiple interfaces/redundancy you are after, use a LAGG.
pfSense is a lot of things but it is not a switch.
That said, your problems are probably the bridging sysctls System > Advanced, System Tunables.
You likely want:
net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1Under Interfaces > (assign) assign LAN to BRIDGE0. The bridge interface is where the LAN interface IP address will live, where DHCP will run, where LAN rules will be assigned, etc.
-
OK, to be honest I am just replacing the setup from the previous firewall.
Instead of daisy chaining the switches I simply created a new subnet and allowed for inter subnet communication (which effectively is allowing traffic between the two switches).
I didn't realize up until your post (and a bit of googling) just how frowned upon bridges are.
-
When bridging is necessary, it generally works fine. If you have to ask "should I use a switch or a bridge" the best answer is pretty much always a switch.
You really don't want layer 2 traffic between the two switches going through a bridge.