Correct way to set up routing + gateway for interface set on a bridge?
-
I think this is easiest explained by sketching what I'm trying to do:
I'm trying to use a second pfSense install as a bridge (only), with a management IP on the bridge. In real terms I've got the bridge IF set up and working on a static IP, but the IF on the bridge isn't picking up an IP via DHCP and can't find pfSense updates, suggesting that it isn't getting the routing/gateway/DHCP info it needs.
The devices attached to the pfSense box (the bottom two in the sketch) are getting DHCP/DNS settings from the main router and network fine, so I've probably got it almost there. Just got to sort out the bridge IP connectivity.
I think part of the problem is that there are two IFs involved - the bridge's own IF and the IF for the physical NIC it's connected through to the main router, and I'm confusing them. Because they have separate MAC addresses, maybe I'm misunderstanding which IF or MAC to use in settings somewhere. A quick explanation what to set up, to do that, would be very appreciated!
-
What possible purpose is there to such a setup??
-
What possible purpose is there to such a setup??
I can't afford what I actually need for the network right now due to domestic circumstances, and doing it in software on pfSense may not be as performant and "clean", but it's good enough performance and clean enough, to be a completely acceptable substitute for a homelab until I can. (But as they said in Airplane, that's not important really:) )
Bear in mind the sketch is simplifying the situation to pin down a specific issue. Obviously if it was truly that simple a network it wouldn't be done that way.
-
So your saying the box that is running pfsense with 4 interfaces is better than some dumb switch for <20$??
https://www.amazon.com/TP-Link-Gigabit-Ethernet-Plastic-TL-SG1008D/dp/B001EVGIYG/ref=pd_lpo_vtph_147_tr_t_3?_encoding=UTF8&psc=1&refRID=WFK1H831R70K0CK69EFZ
8 port gig = $19That is an 8 port gig.. If you can not afford 20.. should you really even have a home lab ;)
-
So your saying the box that is running pfsense with 4 interfaces is better than some dumb switch for <20$??
https://www.amazon.com/TP-Link-Gigabit-Ethernet-Plastic-TL-SG1008D/dp/B001EVGIYG/ref=pd_lpo_vtph_147_tr_t_3?_encoding=UTF8&psc=1&refRID=WFK1H831R70K0CK69EFZ
8 port gig = $19That is an 8 port gig.. If you can not afford 20.. should you really even have a home lab ;)
And this is a useful reply… how? I did hint that this was unhelpfully off topic, and you ignored that.
No, it's not hard to afford a $20 switch. But an cisco or juniper managed switch with 8 or so 10G ports is a little bit more than $20 and I can't afford it yet. In the meantime pfSense and soft routers will never match ASIC and won't do line speed (at least until tryforward and a bunch of other stuff goes live in FreeBSD 20) but if you'd considered the question and not persisted with snide "why would you want to anyway", pfSense can route 10G fast enough to substitute for it and save me a 4 figure sum until I can afford the switch I need, and avoid paying $600+ for a half-assed switch that I won't need long term. When I can afford it, it replaces both the boxes in the above diagram (simplifying).
I have to say, you didn't come over as helpful here. Both comments above were unnecessary and the second came over as deliberately unhelpful and a bit snide as well; it was clear that a $20 switch probably isn't what I had in mind.
Can we start again and set aside any untoward feeling from the above and could I ask, without rancor, your comment how it's done.
-
But you are here asking for help because, frankly, pfSense bridging is a touch complicated and should only be used if NECESSARY.
The people who can help you with that here can probably make $250-$500 in the time it would take to help you with your unnecessary and foolish bridging and it kind of sticks in the craw that you would rather see that happen than just buy a damn switch for $19 which would be the route any reasonable person would take. If you want to be cheap, then do the reading/research necessary.
Anyway. I think that is what johnpoz is trying to say lol.
-
But you are here asking for help because, frankly, pfSense bridging is a touch complicated and should only be used if NECESSARY.
The people who can help you with that here can probably make $250-$500 in the time it would take to help you with your unnecessary and foolish bridging and it kind of sticks in the craw that you would rather see that happen than just buy a damn switch for $19 which would be the route any reasonable person would take. If you want to be cheap, then do the reading/research necessary.
Anyway. I think that is what johnpoz is trying to say lol.
It's true, but not really relevant. After all, we're all here on this support forum ("pfSense English Support"), to ask or offer help, or share knowledge. People who value their time more (which is fine) can simply not comment, rather than take time out to comment in what comes over as a deliberate unhelpful and slightly snarky manner - and then take time out to do it again. I also don't agree with the view that anyone with an advanced query shouldn't ask for help because those able to answer can earn tons in the time a reply would take, then no advanced questions would ever get answered. That's contradicted by many questions here.
Turning back to the question, which isn't about "being cheap" or "foolish": - I'm aiming ultimately to set up a mixed 1G/10G network, because shunting 100GB - 2TB datasets and VM images around is too slow on 1G (my time's more valuable) and I prefer 10G to aggregating multiple 1G's (conceptually cleaner, less to go wrong, closer match to future network planning). Having a single mixed 1/10G switch would make life easier, as any switching/VLAN setup between LAN devices are centralised, but a suitable switch would cost ~$600+, more than I have right now. It happens I've just de-commissioned an Haswell-era 8 core 3.5GHz server which is idle as a "spare", but ideal to host an ad-hoc 10G dedicated soft bridge for the while or until it's needed, and I also have a bunch of 10G Chelsio PCIe cards + matching Finisar 10SR transceivers spare from a recent upgrade which are ideal and recommended for pfSense/FreeBSD 10G. They're all that's needed, have no immediate use, and are free. So for the moment I'm attaching all the 10G devices (basically file, backup and VM servers) to it as a single 10G bridge with a 1G link to the rest of the LAN. It gets me 95% of what I'm after (centralisation/mixed 1+10G/VLAN handling) and if I'm comfortable with ~ 4gbps (software) rather than 10gbps (ASIC) then it removes the pressure to buy the switch any time soon. When I do, the network will already be set up for mixed 1/10G off a single switch/bridge device, essentially the same setup, minimising the swapover work.
It defers a 4 figure sum, and with 10G coming down in price that's no bad thing. But a 1G desktop switch is, clearly, pointless for the scenario as I could just plug all the servers into my existing 1G switch.
The only query is what config's needed in terms of gateways and routing on a soft bridge IP, which is an area I haven't needed to dabble in, yet and can't find much about. So I asked here instead. It seems reasonable to ask that point here. But the rest of the background was tl;dr and skipped over, in respect for other's time and to focus on the relevant point: the routing + gateway requirements for a basic bridged IF to "see" the WAN.
-
When you create the IP on the bridged interface.. You would not setup a gateway on it - because then in pfsense eyes it becomes a WAN..
So just setup a gateway on pfsense under system routing. There you go just like you would do with a downstream router.
And again - what your doing is completely pointless.. Is it bridging now? Then you have solved your problem.. Why do you think pfsense needs to get to the internet if your using it as a really shitty dumb switch that I am for freaking sure took you magnitudes of time and effort vs just buying a switch which yes derelict hit it right on the nose.. Just posting this alone was prob wasted $20 worth that you could of just freaking bought a switch if you needed some extra ports…
Where in your original post did you mention anything about 10Ge or even in your 2nd post after I asked for the purpose even? If you would of mentioned that your trying to leverage a spare box as soft 10Ge switch I wouldn't thought you the typical user asking how can I use that spare port in my router as a switch port..
-
When you create the IP on the bridged interface.. You would not setup a gateway on it - because then in pfsense eyes it becomes a WAN..
So just setup a gateway on pfsense under system routing. There you go just like you would do with a downstream router.
And again - what your doing is completely pointless.. Is it bridging now? Then you have solved your problem.. Why do you think pfsense needs to get to the internet if your using it as a really shitty dumb switch that I am for freaking sure took you magnitudes of time and effort vs just buying a switch which yes derelict hit it right on the nose.. Just posting this alone was prob wasted $20 worth that you could of just freaking bought a switch if you needed some extra ports…
Where in your original post did you mention anything about 10Ge or even in your 2nd post after I asked for the purpose even? If you would of mentioned that your trying to leverage a spare box as soft 10Ge switch I wouldn't thought you the typical user asking how can I use that spare port in my router as a switch port..
Thanks - yes, it's working fine now. It took about 5 minutes from installing to having the bridge working nicely. The issue was that pfSense itself couldn't check for updates or packages (I use the "Notes" package to track things relates to the router), which is the only thing a gateway is needed for. I don't like to leave things half working, so I asked. It turned out that the setting "Use this interface as the default gateway" had to be manually checked in advanced config, that was all.
Besides that, I'm sorry that you posted insults when they're unnecessary. I asked if we could restart without upset and you didn't take the hint. You assume it took ages and cussing ("a really shitty dumb switch that I am for freaking sure took you magnitudes of time"); it took about 5 minutes to get the switch up and running - it was just routing the management IP that was the issue. You don't read posts before flaming (" prob wasted $20 worth that you could of just freaking bought a switch"); if you can find any working 8+ port 10G SFP+ switch new or second hand on sale publicly anywhere in the world for under $20 I will personally donate the $20 to any charity you name and post the receipt here. The mention of 10G was completely irrelevant to the question of how to set up routing/gateway for a bridge IP. It would be the same config needed whatever the NICs were (KISS principle). Your last sentence basically says it all: "If I knew you were doing it for that reason I wouldn't have made unjustified assumptions about your competence and acted like a troll"…. which you shouldn't do anyhow, of anyone, to anyone.
