Delay initialization of a bridge interface?
-
I have a fun little project where I need to get VOIP traffic on a mirrored/span switch port over to another network in a different building to be processed by a recorder. I understand that some Cisco switches can do this natively with something called 'rspan', but I don't have that luxury as that would require changing out multiple switches in a network environment I have no control of (contractor). So, I thought 'maybe I can do this with a couple pfSense boxes'. I've got a simulation of this built and working nearly perfectly using four virtual machines running pfSense (only two are used for the bridge, the other two are for testing data in and out). The 'nearly' bit is due a reboot problem. I'm using OpenVPN in tap mode and bridge interfaces using span to pass the traffic from one end to the other. It works great, until you reboot the end running the OpenVPN client (server end works fine). From what I can tell, the bridge interface is created before the vpn client interface and thus the vpn is not a member of the bridge after a reboot. I have to 'resave' the bridge configuration to re-initialize the bridge interface, adding the vpn as expected.
I found a similar post from over two years ago, but there was no usable answer to it. I hate to dredge up older topics, so I'm starting a new one. But, just in case, see also [[url=https://forum.pfsense.org/index.php?topic=110705.msg616317#msg616317]https://forum.pfsense.org/index.php?topic=110705.msg616317#msg616317]
So the question is, is there a way to delay the initialization of the bridge interface until after the vpn has been created? Or, perhaps, is there a way I can reinitialize the bridge via a post-connect script fired off by OpenVPN?
A suggestion perhaps, pfSense could maybe implement some kind of 'event' system (via the GUI) to perform certain actions when a predetermined event occurs. Examples: PPTP goes down, mark LAN down; OpenVPN connects, add it to bridge; LAN goes down, email admin; gateway quality drops, start dial-up; ICMP received on 'secret' port, turn on HTTP access on WAN; etc etc etc. (probably should put this idea in a separate post)
-
Of course I figured out the answer myself once I started digging around a bit more. I'll leave this here in case anyone else comes looking for something similar.
The solution…
In OpenVPN custom options, add...```
--route-up "/sbin/ifconfig bridge0 span ovpnc1"Bear in mind, I'm using this to carry the output of a span switchport over to another network in another location, hence 'span' in the command above. If you just need to join the bridge, use 'addm' instead of 'span'.