VLAN and that dirty word... *bridges*
-
Before the flames start flying, I know the easy answer is router is not a switch, get a bigger switch, BUT.....
Here is what I have:
bare metal install, quad port Intel nicigb0 - WAN
igb1 - 8port managed switch
igb2 - wireless AP, vlan capable
igb3 - wireless AP, vlan capablehome network. Two APs required to get coverage. The only data that isn't outbound lives on the wired/switched connection so 'switching performance' is not really a concern.
What I thought I could was something like the Netgate live chat on bridging:
- Create desired VLANs one by one on all desired interfaces with no ip address (mgmt vlan10/vpn vlan20 on interface igb1/2/3, wifi guest/iot only on igb2/3)
- bridge the VLANs together
- apply ip/dhcp/firewall rules to the bridge
- change system tuneables net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1
If I simply bridge the interfaces using the default untagged LAN network everything works as expected (firewall rules work etc). When I try the vlan bridges everything falls off the rails... DHCP hands out correct IP address so tagging from the AP/switch seems to be working but vlan pass rules are not working. Default blocking rule catches some traffic and weirdly, my catch all block rule on the untagged LAN bridge catches the rest.
Anyone have any insight?
Thanks.
-
-
@OGsadpanda said in VLAN and that dirty word... *bridges*:
Create desired VLANs one by one on all desired interfaces with no ip address (mgmt vlan10/vpn vlan20 on interface igb1/2/3, wifi guest/iot only on igb2/3)
bridge the VLANs togetherYou bridge all together? So why did you create separate VLANs?
@OGsadpanda said in VLAN and that dirty word... *bridges*:
but vlan pass rules are not working.
Why vlan rules? It should be a bridge rules? You have added your rules to the bridge, didn't you? How want you separate the VLANs here?
-
not everything bridged, bridges just created across each vlan
ie bridge0 = VL10_igb1, VL10_igb2, VL10_igb3
so one set of rules (and subnet) would apply to bridge
sorry, not 'vlan' pass rules at that point, 'bridge' pass rules
-
Put your APs on switch ports.
-
I found this answer you posted a while back
https://forum.netgate.com/topic/75815/wifi-and-lan-on-same-subnet-solved/33which seems like what I have operating now... I just cant get vlans to work 'as is' with tuneables and no firewall rules on the member.
-
If you have a switch you should use it and not do silly bridging.
If you insist on using a wireless card like that and want the wireless and wired on the same broadcast domain you have no choice but to bridge them.
You have a MUCH BETTER choice which is to just use the switch for that which it is intended and designed to do.
-
Hmm, I expect that to work. Though there can always be strangeness when bridges are involved.
What won't work is bridging the parent interfaces in an attempt to carry all the vlans. I've tried it.
Steve
-
I'm not using wireless cards, I'm using wireless APs and switches that are vlan capable and have a router/pf device with multiple ports.
Im a self proclaimed n00b but it seems to me that for a software router, a bridge is like adding all<>all rule with broadcasting across all specified interfaces.
The goofy rule catching I'm seeing makes me think the vlan tags are not persistent in this situation.
So.... Why sell hardware that has multiple ports and/or have the option to bridge or the software tuneables if it doesn't work
-
There is also the potential for broadcast domain "leakage" between VLANs. pfSense bridges are not switches and should not be used as such. It is, in general, a Bad Idea (tm).
-
There are legitimate reasons for bridges such as bridging two interfaces to create a transparent proxy. That is a legitimate purpose (and it works just fine).
You are attempting the equivalent of driving a screw with a carrot. Your switch is a perfectly good screwdriver and it's right over there.
