VLANs with bridged interfaces

Oceanwatcher

​Hi there,

Happy voting day!

I did a search, and could not find the setup I am thinking about here. But as I am not a native English speaker, I might have missed something. In that case, I apologize!

I am wondering about a thing where you might help me understand the principle of. I need to bridge some ports.

Let me see if I have understood this correct.

I have used this page as a starter: https://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/

I set up WAN (1Gb)

I set up one LAN (1Gb) so I can connect and get access to web interface

I set up 4 SFP+ ports as OPT1-4

I set LAN address 192.18.1.1 on OPT1

I make the bridge by adding OPT1-4 to it.

First of all, do I need to set up firewall rules to pass traffic between the interfaces of the bridge to get it working?

My second doubt:

I need to make VLANs. Should I connect them to OPT1 or should I activate the BRIDGE and connect them to that?

Thank you,

Svein

NogBadTheBad

Why not just LAGG the OPT ports ?

Do you really need to bridge a 1GB LAN port with your OPT ports ?

What SFP modules are you using in the OPT ports ?

Are you trying to use pfSense as a distribution switch ?

https://docs.netgate.com/pfsense/en/latest/interfaces/lagg.html

Oceanwatcher

Sorry. Again, it might be my English makes some problems here.

I have not mentioned bridging a 1Gb port, only the SFP+ ports.

Regarding modules - only supported modules, of course. But that is not the question here :-)

Why bridge and not LAGG? Well - each of the ports in the bridge will be connected to different physical switches. As far as I know, LAGG is to increase throughput, but I need those four ports to operate as a mini switch so it makes it easier to organize the traffic and the VLANs.

NogBadTheBad

@Oceanwatcher said in VLANs with bridged interfaces:

Sorry. Again, it might be my English makes some problems here.

I have not mentioned bridging a 1Gb port, only the SFP+ ports.

Regarding modules - only supported modules, of course. But that is not the question here :-)

Why bridge and not LAGG? Well - each of the ports in the bridge will be connected to different physical switches. As far as I know, LAGG is to increase throughput, but I need those four ports to operate as a mini switch so it makes it easier to organize the traffic and the VLANs.

Your English is way better than my Norwegian :)

pfSense doesn't make a good switch, you'd be better off buying a small distribution switch IMO.

https://docs.netgate.com/pfsense/en/latest/bridges/index.html

https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

Oceanwatcher

Thank you for answering!

I understand that it might not be ideal. And a distribution switch might be added in the future. Right now, I have to deal with what I have...

imark77

I was hoping you might have the answer I was looking for but maybe I have the opposite for you? I have created a bridge and then I assigned physical ports and the VLANs into that bridge. Working with a desktop computer and additional NICs. my goal was to be able to have V11 on my LAN pass through my WAN connection for troubleshooting. I also bridged LAN zero physical Ports with a VLAN V7, V6. For this to work I had to add a firewall rule to each interface for the local LAN and the VLAN to communicate. I also had to do this for the WAN and VLAN11 (FYI check your ports at GRC if you do this I accidentally had port 22 open) in the end I had it working. However it takes a lot of mindbending looking at the firewall rules, groups and floating rules.

So yes you will need a firewall rule to let the traffic pass.

I'm trying to re-create the setup on new equipment and decided to swap the tunable for rules on bridge but I am unable to get it to work yet. I am able to get the DHCP and I'm having intermittent issues passing traffic. So theoretically it should also be possible.

If I were to add all 4 ports together I would just bridge the 4 ports. however if you have equipment that has an integrated switch like the SG-3100 you can just reassign all of those ports together.

As far as the additional VLANs you would add that as a virtual port on top of the physical port*. (of course this is dependent the integrated switch if you have one).

Hopefully something in there make sense and is helpful?

imark77

@imark77 going by the hardware in the handle. I'm assuming the SuperMicro has for dedicated ports. If that's the case you'll need to create your desired VLANs on each hardware Port ID and then bridge those VLANs acrossed back together. And then a firewall rule to allow them to intercommunicate. ( Theoretically switching to rules on bridge would make the rules easier but I don't recommend that until I can confirm that it works on my end.... As that seems to be the problem I'm having ).