PLEASE HELP SOME MORE!! pfSense Need to Bridge - Not working



  • Hello All,

    Before I start, I know that most people do not believe in bridging interfaces on a firewall and I know and agree it is much easier to use a switch.

    However, in my situation, 1) getting another switch represents another device I would need to purchase plus too, more electricity (electricity bill is already high) and 2) I would have 2 unused ports (I am using a 4 port mini PC, [Mod Edit: Link removed. We understand what those are]) on the firewall that will never be used. For these reasons I would prefer to bridge the interfaces and get them working.

    I have followed a lot of tutorials online on how to bridge the interfaces on pfSense. Some said to not include LAN in the bridge, assign the bridge to the LAN, switch to another interface that is in the bridge and assign the original LAN port to a new interface and then add that to the bridge. Tried this but when I tried switching to the other port after assigning the bridge to the LAN, no connectivity.

    Also saw some tutorials that said add all the interfaces to the bridge. That too did not work. Again no connectivity when trying to access via an interface in the bridge.

    Saw some that said assign IP to bridge, create interface group, set any rule to bridge group, disable the IP from the original LAN. Tried this and this too did not work. Again no connectivity when trying to access via an interface in the bridge.

    Saw one that said set any rules to all the interfaces. Tried that. Did not work. Same result.

    In all the above, made the change to the System Tunables.

    I am on version 2.4.4p2. The only thing I can guess is that I am using an updated version and maybe bridging works slightly different and as such there is an additional step to get it to work. Or maybe there are some steps needed that was excluded from the tutorials because it was assumed that one would know to do it. I really don't know. But to all who have posted previous tutorials on this subject, the instructions no longer work.

    Can someone, anyone provide me with the full detailed step by step instructions (preferably with screenshots) using version 2.4.4-RELEASE-p2 on how to set up the following:

    1 WAN port from ISP
    3 LAN ports all on the same subnet, can get internet from WAN, can communicate with each other (in a workgroup/domain network), DHCP server enabled. Basically, to configure pfSense to operate like a super powered SOHO router.

    Please include what firewall rules, NAT, interface assignments etc etc etc. needed.

    I know we are all very busy, but I basically need someone, anyone to set this up themselves get it to work, confirm and verify it is really working and then tell me what they did and how they did it step by step.

    So you understand, the pfSense will be primarily used to control 2 OpenVPN configurations from 2 vendors where I would toggle between them depending on what I am doing at the time. I am using DD-WRT now but they only allow me to control 1 VPN via the gui and I cannot find proper instructions on how to configure 2 openvpn clients via the command line, so I am trying pfsense. I looked at Untangle but apparently that does not support 3rd party vpn clients. I need 2 VPNs configured and it seems as if pfSense can do it.
    I really don't even need the firewall features but apparently disabling the packet filtering disables the NAT which is needed to get from the WAN to the LAN.

    Thank you in advance.


  • Netgate Administrator

    Is your WAN a public IP or is it behind some other router? If it's private it will be much easier to configure this whilst connected from the WAN.

    Otherwise I would assign one of the OPT ports separately and connect via that until you get the bridge up and then add the port back to the bridge.

    Steve



  • @stephenw10

    My setup:

    Internet from ISP

    Internet Connecting ONT - this is fibre coming into my apt and 4 lan ports but I can only use port 1 for internet. the other ports are for TV and my ISP refuse to reconfigure them for internet even though I don't get TV and they are basically being wasted.

    Originally DD-WRT router but now a 8 port Gigabit switch, installed only this week. - Two reasons why this was installed here. 1) To provide a WAN for my Hyper V set up straight from the ISP so I can keep my VPN running and do my test simultaneously and will be used moving forward to allow my desktop computer to be contacted directly from the internet even when I have my VPN running. Before, when the DD-WRT router was here when the VPn was running I could not access my computer for FTP, web server or even WAKE-on-lan. Contacted the VPN provider but they do not allow port forwarding on their VPN. SO while the VPN was running I cannot access my computer from the internet. So the switch will stay here so I can send direct internet traffic from my ISP into one NIC and then a second NIC will get the traffic from the DD-WRT router. I then made changes to the metrics on the NICs and Gateways to ensure the DD-WRT is the default connection. Anyhow, 3 ports are in used. 1 - from the ISP ONT, 1 going directly to my computer and 1 going to the DD-WRT as the WAN. THis last one will represent the WAN for pfSense as well.

    DD-WRT - used to get a high bandwidth as possible from OpenVPN from VPN vendor. The plan is to replace the hard drive with one with pfSense installed so I can configure a second one.). At the moment, all 4 ports are in use, 1 - from switch which is splitting the internet from ISP, 2nd to my computer for the VPN, 3rd to my fire TV and the 4th, to a Buffalo DD-WRT router which provides WIFI for the VPN. When I purchased the mini PC I did not realize that the wireless adapter installed could not be used as an access point. So I could not make this router a wireless one.

    Devices as outlined above

    So to answer your question, no the WAN is not a public IP, it is an IP coming from the ONT.

    I am not certain I follow what you mean "connect while connected from the WAN" though. Do you mean, connect on the ONT subnet and then access the WebConfigurator using the IP assigned on the WAN interface of pfSense? if So I think I tried this and the page would not load. I was only able to access it while connected from the LAN. IF you mean something else, please clarify.

    I can try your suggestion of configuring on OPT and see if that makes a difference. I will let you know.

    I know I have LAN ports from the Buffalo router that I can come in on the WAN and then use those Buffalo ports for my switching instead of trying to bridge. If I don't get the bridgeto work I will be used to do this. The issues with that though is that I plan on purchasing a new mini PC with a wireless adapter that I can use as an access point to turn my mini PC into a wireless router, Eliminating the need for the Buffalo altogether. My electricity is high so I want to have 1 device doing everything rather than 4 devices all consuming energy. So I would rather have things set up based on my future plans in mine rather than have to still come back to this issue later when I change the mini PC.

    Actually, if you were to tell me there is a way to come in directly to the pfSense and then use one interface to directly send the traffic from the ISP for my wake-on-lan, ftp, web server purposed and then use a second interface to send the traffic from the VPN and still bridge the interfaces, then I could eliminate the 8 port switch as well, cause I really don't want to use it. But my stupid ISP and their "policy" of only configuring 1 port for internet forces me to have to do split the internet using a switch.

    IS this possible? let's say my ONT's subnet is 192.168.66.0 and the WAN interface gets 192.168.66.152, Can I configure an interface to send 192.168.66.152 IP straight through without having to NAT to another subnet? I don't know if I am explaining this question properly but I would want my computer getting a 66.xx IP and not another IP from another subnet. I know I can configure port forwarding or rules etc, but if there is a way to send it straight through as if it was a switch, would be awesome. Probably unlike but just throwing it out there just in case.


  • Netgate Administrator

    Ok.

    So your 'ONT' device is actually a complete router. I assume you have setup port forwards on it for your internal services?
    Can it be configured in modem or bridge mode to pass the public IP direct to the pfSense WAN? That would be a much better setup.

    Do you mean, connect on the ONT subnet and then access the WebConfigurator using the IP assigned on the WAN interface of pfSense?

    Yes that's exactly what I mean. Add a firewall rule on WAN to allow access to the WAN address from the WAN subnet. Then you will be able to access the GUI to configure the bridge from the machine in the 192.168.66.0 subnet withput risk of getting locked out.

    You can very easily route some clients out the WAN directly and some via the VPN in pfSense. A much better setup here would be to have everything behind pfSense with only pfSense doing NAT.

    There is no reason a port forward would stop working when you have the VPN enabled.

    The amount you will save in power usage by having an internal wifi card in pfSense is likely to be negligible. And it comes with the disadvantages of not being able to position your access point for best reception and not being able to use 802.11ac.

    Steve



  • @stephenw10

    Hmm. A lot for food for thought. Yes I had port forwarding configured from my ISP device to my DD-WRT and then port forwarding from DD-WRT to my desktop and it worked perfect when the VPN was off but not when i had the OpenVPN client enabled on the DD-WRT.

    OK. To update: I took your advice and abandoned the whole trying to bridge the interfaces. I installed pfSense on my mini PC today and am up and running as we speak. So I will close this thread on bridging...well once I figure out how. lol.

    Instead of trying to bridge, I removed my 8 port switch from between the ISP device and my pfSense device. I am coming direct from ISP device to the WAN (port 1) on pfSense. Then the LAN interface (port 2) goes to the 8 port switch. From the 8 port switch to NIC 1 on my Desktop, to the WAN of my Buffalo Router and to my Fire TV. On the LAN interface I configured the 2 VPNs and have a VPN group with a Tier 1 and Tier 2 priority using the guides from nguvu.org plus some other online info. It is finally working after resetting to default and starting over several time but when I tested, it half works. When I stop the tier 1 VPN, Tier 2 works automatically but when I start back Tier 1, Tier 2 remains the primary. Even if I stop tier 2, tier 1 still does not kick in. I have to stop both and then start tier 1 and then tier 2 or restart pfSense all together. So I will open a separate post to get some help troubleshooting that.

    Anyhow, on my 3rd interface (port 3) on the pfSense, I configured that with its own IP and DHCP server and that is connected to NIC 2 on my Desktop directly. I called that LAN 2. I configured the metrics to make NIC 1 the default and I can access the Web Configurator from the IP of the LAN interface. But for some reason I cannot access the Web Configurator from the IP of the LAN 2 interface. I cannot ping the IP of LAN2 either. I am assuming this is a routing issue either with pfSense or Windows or both. I will open a separate post to get help with that as well.

    With respect to the rest of what you said:

    1. I will check to see if the ISP device can be configured in bridge mode
    2. While I am no longer bridging, should I still add the firewall rule on the WAN to allow access to the WAN address from the WAN subnet? would I need this otherwise?
    3. It is good to know I can route some clients out the WAN directly and others via the VPN traffic. But the question is, can I have 1 interface go to 1 NIC of my desktop and route that out directly through the WAN and then have another interface go to my 2nd NIC of the same desktop to get access to the VPN and have all of them working simultaneously without me having to disable and re-enable NICs when I want to do something on either interface?
    4. I do not mind setting up everything behind pfSense and have it do all the "NAT-ing". Can you give me the instructions for this or point me to a guide that explains it?
    5. hmm so I should still be able to port forward when the VPN is enabled? well I will see now with the pfSense device up and running. On DD-WRT I was also using dynamic dns with no-ip.com so maybe that had something to do with it. When I get LAN2 working, I should not have to worry about this though.
    6. Point taken w.r.t. negligible power savings with internal wifi in pfSense and the disadvantages etc. Currently the buffalo router is next to my whole setup. My apt. is small so I don't think range is an issue but the 802.11ac is a good point. I had identified a new mini PC with a wireless adapter that can be used as an access point. I will have to check the specs again to see if it can do 802.11ac.

    Thanks for responding to my posts Steve. I appreciate it.

    Looking forward to your responses to my questions above. Also look out for my other queries w.r.t. the issues I am having in my new set up.


  • Netgate Administrator

    No, you don't need access from the WAN side under normal circumstances. And unless you have a switch in there you can't get a client into the WAN subnet anyway so disable or remove that rule.

    You can have the desktop dual homed but the routing on the desktop has to be right. It will decide what traffic to send where.

    When only pfSense is routing/NATing that is the standard setup, when it has a public IP on it's WAN directly. The setup you have now both pfSense and the ISP device are NATing and routing hence you have to double port forward. I hope your Buffalo device is running in access point mode otherwise you might be tipple NATing. 😬

    Yes, forwarding incoming traffic has nothing to do with how outbound traffic is routed. In a stateful firewall the reply traffic should leave over the same interface the state was opened on so it doesn't matter. That's the case for pfSense at least, as long as reply-to is enabled which it is by default.

    Just to be clear there are currently no wifi adapters that can do .ac in pfSense. That might come in 2.5 at some point since most of the components required are now there in FreeBSD 12.

    Steve



  • @stephenw10

    No, you don't need access from the WAN side under normal circumstances. And unless you have a switch in there you can't get a client into the WAN subnet anyway so disable or remove that rule.

    Noted.

    You can have the desktop dual homed but the routing on the desktop has to be right. It will decide what traffic to send where.

    Good to know. I will research and troubleshoot until I get it right. But to be clear, there is nothing else that needs to be done on pfSense side other than activate the interface and place a DHCP server on it? No Firewall rules or routing needed?

    When only pfSense is routing/NATing that is the standard setup, when it has a public IP on it's WAN directly. The setup you have now both pfSense and the ISP device are NATing and routing hence you have to double port forward. I hope your Buffalo device is running in access point mode otherwise you might be tipple NATing.

    Yes. I do not want to triple NAT at all. Having the public IP come directly to the firewall sounds cool though. I will definitely look into that.

    Yes, forwarding incoming traffic has nothing to do with how outbound traffic is routed. In a stateful firewall the reply traffic should leave over the same interface the state was opened on so it doesn't matter. That's the case for pfSense at least, as long as reply-to is enabled which it is by default.

    hmm. Ok. Well when I get my LAN2 interface up and running. I will look into this further.

    Just to be clear there are currently no wifi adapters that can do .ac in pfSense. That might come in 2.5 at some point since most of the components required are now there in FreeBSD 12.

    The mini PC I am interested in has a AC-3160 wireless card but that was back in Jul 2018 last year. I will have to see what is available now. But understood, i will not be able to fully leverage it in 2.4 but maybe in 2.5. So I look forward to the possibilities moving forward.


  • Netgate Administrator

    Any additional internal interfaces (other than LAN) will have no firewall rules on them by default so no traffic will be allowed into the firewall other than dhcp requests. That means a port forward to that interface would work as all traffic leaving the firewall is allowed but a client would not be able to open outbound connections.

    The AC-3160 is supported by the iwm(4) driver but note it doesn't support .ac mode (in FreeBSD 11 at least) and more importantly it does not support hostap mode so cannot be used as an access point.
    The first cards to support .ac and access point mode will probably be Qualcom/Atheros based. But there are no guarantees here. It may never happen. You should not buy a wifi card until you know it is supported.

    Steve



  • @stephenw10

    Any additional internal interfaces (other than LAN) will have no firewall rules on them by default so no traffic will be allowed into the firewall other than dhcp requests. That means a port forward to that interface would work as all traffic leaving the firewall is allowed but a client would not be able to open outbound connections.

    I have limited to no experience creating my own firewall rules but I can interpret, duplicate and edit rules that to date have all worked. So if I was to copy all the rules created for my LAN interface to my LAN2 interface and edit them for LAN2 accordingly, would clients on my LAN2 then start to make outbound connections etc? Cause I think what I understand you to be saying is that the client can receive traffic from the firewall via the LAN2 interface but can't send traffic back. AM I correct in my understanding? So would duplicating LAN to LAN2 work for my needs?

    The AC-3160 is supported by the iwm(4) driver but note it doesn't support .ac mode (in FreeBSD 11 at least) and more importantly it does not support hostap mode so cannot be used as an access point.
    The first cards to support .ac and access point mode will probably be Qualcom/Atheros based. But there are no guarantees here. It may never happen. You should not buy a wifi card until you know it is supported.

    Understood. Noted.


  • Netgate Administrator

    Yes dupicating the LAN rules to LAN will work. You only need copy the 'default allow all rule' if you just want them to be able to get out. Just change the source from 'LAN net' to 'LAN2 net'.

    Steve



  • @stephenw10

    Got it. Will try that, once I get the other stuff sorted.


Log in to reply