Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help for Firewall and bridge

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 336 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      really2002
      last edited by really2002

      I have a box with pfsense 2.45-1 , and I set 1 interface for wan with the static IP(192.168.0.2) to connect the upper router, and set four LAN interfaces as a switch using the bridge function(192.168.2.248). and I set DHCP on the bridge(192.168.2.0/24), and in the DHCP,I set the DNS and gateway to my OpenWRT box's IP(192.168.2.247).

      20201108121521.png

      I have add all pass rule on each interface and bridge, I am confused with net.link.bridge.pfil_bridge and net.link.bridge.pfil_member, as the document says:
      net.link.bridge.pfil_bridge filtering on the bridge interface
      net.link.bridge.pfil_member filtering on the incoming and outgoing member interfaces

      and I set net.link.bridge.pfil_bridge=1 and net.link.bridge.pfil_member=0 because I want to set the rule only on the bridge to control all the Lan interface. BUT the all the wifi terminals can not access the internet , it only shows connected but no internet rights. their gateway and dns is auto get to 192.168.2.247. however the PC connect to the pfsense can access internet and PC, wifi terminals can access each other.

      when I set net.link.bridge.pfil_bridge=0 and net.link.bridge.pfil_member=0 , all wifi terminals can connect internet and they are OK. I change nothing only except the net.link.bridge.pfil_bridge=0.

      when I set net.link.bridge.pfil_bridge=0 and net.link.bridge.pfil_member=1 , all the wifi terminals can not access the internet.

      and I continue to test the bridge and find out when I set net.link.bridge.pfil_bridge=1 and net.link.bridge.pfil_member=0, and I change the DHCP gateway to 192.168.2.248 , the wifi terminals are OK agian .

      so what is the exactly function of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge? if I set them both 0, it means all rules will be ignore? but actually, I add the block rule on bridge and it works.

      and whats wrong with my wifi terminal when i set net.link.bridge.pfil_bridge=1 ?

      1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600
        last edited by

        Depending on what box you have (does it have an internal switch chipset).
        Bridging on a NON switch chipset is a Kludge , and NOT best practice.

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        R 1 Reply Last reply Reply Quote 0
        • R
          really2002 @bingo600
          last edited by really2002

          @bingo600

          I use esxi to install the pfsense, and with 5 ports intel ethernet pcie card

          1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600
            last edited by

            My best advice : If you need a switch , buy a switch.
            With reference to the above, i have no experience with pfSense and bridging.

            But i see a lot of experienced members giving the same advice.

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.