[SOLVED] Routing a bridged LAN connection.

nimrod · Jan 1, 2023, 1:12 AM

First of all, happy new year to everyone !!!

So this i more of a question than an actual issue but here is the situation.

I have a DSL router in bridge mode. My pfsense appliance has a few more more free ports i can use. I plugged my router into the port 3 and bridged it to port 4.

I plugged in my iptv box into port 4 and iptv box is working for a few seconds and then it stops. Picture just freezes. Then it starts working again, and then it stops again. I know that bridging two ports is not really ideal solution because of performance issues. And i figured this out because, when i plug my bridged router into a cheap dumb switch and then plug my iptv box into that switch, everything works without without any issues.

Here is the question. As i already mentioned above, my isp router is set into bridge mode by default. Is it possible to plug it into port 3 on my pfsense appliance and route that bridge traffic to port 4?

I know how to do this with regular network traffic by using NAT and firewall rules, but since we are dealing with the bridged router im not sure how to do this in pfsense. Is this even possible ?

Any advice is welcome. Thank you.

NollipfSense · Jan 1, 2023, 1:12 AM

@nimrod said in Routing a bridged LAN connection.:

when i plug my bridged router into a cheap dumb switch and then plug my iptv box into that switch, everything works without without any issues.

Not sure what you mean by "bridge," however, why reinvent the wheel? You know how it suppose to work by the above but seems obsessive on 'bridge." I have never experienced asymmetric routing but that appears to be your issue trying to "bridge" your setup.

nimrod · Jan 1, 2023, 1:32 AM

Not sure what you mean by "bridge,"

The router i got from my internet service provider is not routing the traffic. Its working in bridge mode which allows iptv box to work.

On pfsense side i bridged ports 3 and 4 and this works. At least It used to work until they my isp upped the bitrate of some channels. So bridging ports in pfsense is no longer sufficient.

however, why reinvent the wheel?

You know how it suppose to work by the above but seems obsessive on 'bridge." I have never experienced asymmetric routing but that appears to be your issue trying to "bridge" your setup.

This allows me to create a schedule and then use that schedule in a firewall rule to cut the traffic between isp modem and iptv box. Im using pfsense as a parental control for kids because both isp modem and iptv box are locked. Does it make sense now ?

I made the thread about this not so long ago.

https://forum.netgate.com/topic/173931/bridge-blocking-solved?_=1672536404623

NollipfSense · Jan 1, 2023, 2:30 AM

@nimrod said in Routing a bridged LAN connection.:

Does it make sense now ?

Yes, it does and thank you for sharing...seems you have some smart kids. I would never consider using a firewall this way...Steve will help you @stephenw10.

nimrod · Jan 1, 2023, 2:55 AM

Yes, it does and thank you for sharing...seems you have some smart kids.

Thanks, but its not the kids that locked it. Its how the isp is providing their <insert bad word here> service.

I would never consider using a firewall this way...Steve will help you @stephenw10.

I use it just like everybody else. I have a few VPN tunels, few cameras isolated with vlans and pfblocker. This is just attempt to use pfsense for something completely different. And it used to work great with two ports bridged. Now i need different solution.

Meanwhile I did some research, and if i understood correctly, "standard" network traffic routing is done on layer 3, and bridged networks are on layer 2. Layer 2 traffic can not be routed. I hope im wrong.

NollipfSense · Jan 1, 2023, 4:30 PM

@nimrod said in Routing a bridged LAN connection.:

This is just attempt to use pfsense for something completely different.

That's what I like about, very creative solution indeed.

stephenw10 · Jan 5, 2023, 3:23 PM

You probably need some additional firewall rules on the bridge (or bridge members) to pass mutlicast traffic. That requires IP options be enabled.
I would expect to see some blocked traffic in the firewall logs.

Steve

nimrod · Jan 5, 2023, 5:32 PM

@stephenw10

Hi Steve.

This is the firewall rule on primary port where ISP modem is plugged in.

This is the firewall rule where IPTV box is plugged in.

And this is the firewall rule on the bridge interface for these two ports.

Again. This configuration used to work perfectly fine. However, my ISP has improved picture and sound quality quite a bit and since then, this configuration is no longer working.

If i do this with dumb switch, it works perfectly fine.

These are the specs of my pfSense box.

I dont understand the part IP options. Can you clarify ?

Thank you.

stephenw10 · Jan 5, 2023, 5:52 PM

IP Options is an advanced setting on the rule:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

There are zero states or Bytes on any of those rules so it looks like they are not matching anything.

How do you have the bridge filtering configured?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

Steve

nimrod · Jan 5, 2023, 6:34 PM

@stephenw10 said in Routing a bridged LAN connection.:

IP Options is an advanced setting on the rule:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

Im on it. Will report back with results.

There are zero states or Bytes on any of those rules so it looks like they are not matching anything.

There are zero states because nothing is connected at the moment. Its all going through dumb switch.

How do you have the bridge filtering configured?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

Steve

This is how its configured now.

nimrod · Jan 6, 2023, 10:00 PM

@stephenw10 again you nailed it.

Just enabling IP Options in the firewall rules did the trick. HD channels are running smooth and i can see A LOT more traffic coming in than before.

Everything runs absolutely perfect now.

Cant thank you enough sir.

Cheers.

NollipfSense · Jan 7, 2023, 1:06 AM

@nimrod said in [SOLVED] Routing a bridged LAN connection.:

Just enabling IP Options in the firewall rules did the trick.

So awesome that this creative use of a firewall is resolved.

nimrod · Jan 7, 2023, 1:06 AM

@nollipfsense said in [SOLVED] Routing a bridged LAN connection.:

@nimrod said in [SOLVED] Routing a bridged LAN connection.:

Just enabling IP Options in the firewall rules did the trick.

So awesome that this creative use of a firewall is resolved.

Oh im not done yet. I want to take this to another level.

The plan is to add another interface into existing iptv pfsense bridge.This interface has a very fast wifi access point connected to it. Cool thing about this ap is that it supports vlans. I can create a new 5ghz ssid and assign a vlan tag to it. This vlan tag will match the vlan tag assigned to iptv bridge in pfsense.

I also have old wifi 6 router that can operate as a wifi client. I want to connect this wifi router to my ap on a vlan tagged 5ghz ssid. If this works, it will give me incredible flexibility. I can just move my iptv box along with my tv anywhere i want. No need to drill holes and create a cable mess.

nimrod · Jan 7, 2023, 3:41 AM

Success !!!!

Here is the configuration for anyone that cares.

This is the interface configuration.

IPTV_VL is the VLAN35 interface on igb5 where my wireless ap is connected to.

IPTV_IN is igb2 port where my dsl modem is connected.

IPTV_BR is the pfsense bridge that bridges VLAN35 on igb5 with igb2.

This is the bridge configuration with its members.

This is the VLAN configuration on igb5 port.

This is the firewall rule on IPTV_VL interface.

Make sure you have IP Options enabled in advanced options in firewall rule. See picture bellow. Thanks once again @stephenw10

Same rule is required for for IPTV_IN interface.

And this is my AP configuration.

AP isolation is enabled.

My old Asus RT-AX86 is set to client mode and connected to IPTV ssid. Iptv box is connected to port 1 (any port will do) and finaly, iptv box is connected via hdmi cable to my TV. And this works flawlessly. No picture hicups, no stuttering or sound corruption.

Firewall rules are controlled by traffic shaper + schedule that i defined.

Once it kicks in, traffic speed between bridged interfaces goes to 1Bit/sec and iptv box reports connection error and shuts off. Smart TV shuts off automatically after 5 minutes because there is no signal on HDMI port.

pfSense working as a router, firewall, vpn, adblocker, and parental control device.

Perfection.

stephenw10 · Jan 7, 2023, 1:54 PM

Persistence FTW!