Bridging multiple Ethernet wired interfaces, that also connect to Wireless Access points

swinster · Mar 21, 2020, 8:04 PM

Hi all,

The TL;DR question - is this even possible with pfSense 2.4.5 RC?

I use a small multiple NIC (5) box that runs pfSense. I was looking to bridge a few of these interfaces with an IP address assigned to the bridge and nothing on the interface themselves. The interface connects to different layer 2 switches, which then connect to different APs. The intention was to set up a single broadcast domain and single subnet.
When a wireless device connects, DHCP for the entire bridged network works just fine - wireless devices receive an IP address and can even ping other devices on the connected segment. However, they can’t ping the pfSense. It appears as if the ARP request is sent and received by pfSense which responds correctly, but the response never makes it back to the wireless device.

I have a sneaking suspicion this is not possible.

swinster · Mar 22, 2020, 12:21 PM

The odd thing here is that some wireless devices worked seemingly without issue, for example Alexa worked, but laptops and phones didn't.

johnpoz · Mar 22, 2020, 12:38 PM

You can bridge sure
https://docs.netgate.com/pfsense/en/latest/interfaces/interface-bridges.html

Why would be the question.. Why would you not just connect the switches together directly that your APs are connected to vs wanting to bridge in pfsense? The only reason to do a bridge on pfsense would be if the media connection types were different say fiber and ethernet - and your other switch didn't have fiber interface. Or you wanted to do some specific filtering between devices but still have the same L2/broadcast domain.

Bridging interfaces on pfsense should really always be the last choice. At first glace I would guess you got something wrong on your firewall rules, either in your interfaces or the bridge.

swinster · Mar 22, 2020, 1:32 PM

It was for reasons of physicality and convenience as to why I enabled this.

FWIW, the member interfaces have 0 rules and the rules only existed on the bridge interface. System tunables switch off applying rules on member interfaces and on on the bridge interface

The main two rules on the bridge enabled all ipv4 and ipv6 traffic with a source address of the bridge network (LAN). This interface was originally assigned to one of the physical interface where of course all worked without issue.

swinster · Mar 22, 2020, 1:38 PM

For the moment I have disabled the bridge and gone back to routing the interfaces, placing them in different subnets, which works although I have some roaming issues as device move between different APs so get different network address and info.

johnpoz · Mar 22, 2020, 2:14 PM

@swinster said in Bridging multiple Ethernet wired interfaces, that also connect to Wireless Access points:

FWIW, the member interfaces have 0 rules

Well how would that work? Yeah you would get dhcp - but you wouldn't do anything else..

From the bridge link I provided
"Bridge traffic is filtered on the member interfaces by default.

By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab. With them set at 0 and 1, respectively, then filtering would be performed on the bridge only."

convenience as to why I enabled this.

Rarely a good reason for how to do networking! ;) Nor security... It would be very convenient to just have everything in 1 flat network with just no password on my my wifi.. Very "convenient"

swinster · Mar 22, 2020, 6:41 PM

It should works because, as I mentioned, the system tunable was set to not filter on the member interfaces but rather on the bridge interface;) Unless I misunderstand what those system tunable are.

Networking not allways about delivering a highly secure environment. Sometimes it is about convenience, depends on the application. In this case, convienece is the trumping factor. It is not designed to be a fortune 500 network. Just a simple private network.

Anyhow thanks for you input.

johnpoz · Mar 22, 2020, 6:51 PM

What is about no matter the network is the compromise between convenience, cost, security, etc.. Yes you can bridge interfaces via pfsense.. What you were doing wrong have no idea because you have provided zero actual info on what you did... Other than stating you had zero rules on your member interfaces - which out of the box no wouldn't work..

You know what is convenient and easy and simple and the no brainer way to put devices on the same L2... That would be connecting them to the same L2 hardware... You know what creates complexity and extra work, and less performance - trying to do something in software on on L3 router at the L2 layer that really shouldn't ever be done.. But for some reason you thought it was easier than connecting a wire to the correct place..

swinster · Mar 22, 2020, 9:07 PM

Sorry for making you so upset. TBH, I thought the info above was OK, and you initially seem to grasp that, but obviously I have annoyed you for some reason, and for that I can only apologise

As mentioned, the issue was at the layer 2 level with ARP and the response for some reason not making it back to client when querying the gateway. This was a genuine query but I fear it has has deteriated.

Once again, thank your for you input.