OPT1 and LAN bridge

  • Hi,

    I'm new to pfSense and gateways in general; please excuse my lack of articulation :(

    I have a pfSense box with three network cards in the following setup:
    WAN: bfe0
    LAN: rl1
    OPT1: rl0

    The WAN connection goes straight to a modem for internet access, and the LAN interface is connected to a router which is forwarding DHCP/DNS to the gateway.  This setup works great; clients can be connected directly to the router or connect through the router's wireless connection and the pfSense gateway provides internet access.  The LAN interface operates under with the gateway being and the router being

    I'd like to connect another computer directly to the OPT1 interface and have that computer behave as if it was plugged into the router connected to the LAN interface.

    Is this possible?  I've tried several different things but nothing has worked so far.

    I'm using pfSense 1.2-RELEASE; the router is a Linksys WRT54GS with DD-WRT.

    Thanks!  :)

  • I managed to solve it with enough fiddling.  Here's what solved it for me in case anyone comes along in the future:

    Add the OPT1 interface (requires an unused network port).

    In the WebGUI, go to Interfaces > OPT1.  Make sure that "Enable Optional 1 Interface" is checked, keep the dropdown set to "Static" under "General Configuration", under "IP Configuration" set "Bridge with" to "LAN".

    Next, go to Interfaces > LAN and set "Bridge with" to "OPT1", apply.

    If you'd like, add a static mapping for the new computer in the Services > DHCP Server page by binding the MAC Address with an IP in the subnet that you use for your LAN.

    Now go to Firewall > Rules > OPT1 and create a new rule:
    PASS action, enabled, OPT1 interface, any protocol, source type "OPT1 subnet", any OS, any destination, no log, leave the rest default.
    Apply.  You should now see a PASS rule with all "*"s except for "Source" which should be "OPT1 subnet".

    Now for the most important part, the part that tripped me up:
    If you can't seem to get any traffic on the interface, even though the new computer is plugged in, try using a crossover cable instead of a straight-through!

    Now everything should work great! ;)

  • Dont bridge each interface to the other.

    So if you want to bridge OPT1 with LAN you do that on the OPT1 config page only and NOT again on the LAN config page.

  • When I bridged OPT1 to LAN, but not LAN to OPT1, computers on LAN could contact the computer on OPT1, but the computer on OPT1 couldn't communicate back.  :(

  • That's what you need the firewall rule on the OPT interface for.

    You probably tested it before you added the rule on the OPT1 interface.

  • I tried removing the LAN bridge to OPT1.  The firewall rules were still there.  The computer attached to OPT1 could no longer send/receive any packets and could not receive an address through DHCP.  The physical lights on both NICs were still illuminated.  Restoring the bridge restored everything to normal.


  • What are the disadvantages of having LAN bridged to OPT1?

  • You have a rule allowing any OPT1 subnet traffic out, you also need to allow traffic from LAN to OPT1, that should require a second firewall rule.

Log in to reply