Multi-LAN Routing Without Bridge Interface



  • I would like the communities thoughts and suggestions on a potential Multi-LAN network configuration without the use of a Bridge Interface.

    My PfSense machine has 8 available interfaces.
    2 are used in a LAGG for the WAN connection.
    2 are used in a LAGG for a LAN switch.
    4 are used to directly connect 4 individual LAN devices.

    Current Configuration:
    Currently I have a bridge interface containing the LAN facing LAGG and OPT interfaces.
    PfSense is configured to filter packets on the bridge interface and not on member interfaces.
    The LAN facing LAGG and OPT interfaces are also set to NONE for their IPv4/IPv6 Configuration Type.

    This is the standard bridged software switch setup but I've been pondering an alternative setup recently.

    Proposed Configuration:
    Remove the bridge interface.
    Set the LAN facing LAGG to 192.168.1.1/24 IPv4 Configuration Type along with Track Interface WAN IPv6 Configuration Type.
    Keep the 4 LAN facing OPT interfaces as NONE for their IPv4/IPv6 Configuration Type.
    Configure PfSense to now filter packets on member interfaces and not on the bridge interface.
    Add firewall rules to allow traffic to pass between all 5 LAN facing interfaces.

    The Question:
    Will these firewall rules truly allow all traffic to pass between each LAN facing interface? Specifically will they ensure clients connected to the OPT interfaces can obtain an IP address from the DHCP server running on the LAGG interface?

    If the answer to that is no then I can set all 5 Configuration Types to Track Interface WAN for IPv6 and IPv4 to Static giving each interface an address on a unique subnet (192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24, 192.168.4.1/24, 192.168.5.1/24).
    This would let me enable a DHCP server on each interface to serve their clients.

    Either way I need to make sure all clients can talk and see each other.


  • LAYER 8 Moderator

    @kklouzal said in Multi-LAN Routing Without Bridge Interface:

    Proposed Configuration:
    Remove the bridge interface.
    Set the LAN facing LAGG to 192.168.1.1/24 IPv4 Configuration Type along with Track Interface WAN IPv6 Configuration Type.
    Keep the 4 LAN facing OPT interfaces as NONE for their IPv4/IPv6 Configuration Type.
    Configure PfSense to now filter packets on member interfaces and not on the bridge interface.
    Add firewall rules to allow traffic to pass between all 5 LAN facing interfaces.

    If you remove the bridge configuration and keep the 4 other OPT interfaces on "NONE" as their configuration type, they will simply do nothing as neither L2 nor L3 has anything to do for them. You can't configure pfSense to send packets to an interface. That's where you either do bridging (meh) or routing (and per definition a L3 configuration with IP addresses).

    Specifically will they ensure clients connected to the OPT interfaces can obtain an IP address from the DHCP server running on the LAGG interface?

    To do that, use the DHCP Relay and send the requests to the LAN facing LAGG

    If the answer to that is no then I can set all 5 Configuration Types to Track Interface WAN for IPv6 and IPv4 to Static giving each interface an address on a unique subnet (192.168.1.1/24, 192.168.2.1/24, 192.168.3.1/24, 192.168.4.1/24, 192.168.5.1/24).

    You have to do a part of that (IP4/6 configuration). As said, you can also run DHCP relay to hand out IPs for devices on opt1-4 but they have to be on their own subnet to have a clean routing setup. But if you don't have to do that (because that central DHCP is needed for Client DynDNS or something), then running DHCP on pfSense is perfectly good, too.

    Greets


Log in to reply