[SOLVED] Routing a bridged LAN connection.

NollipfSense

@nimrod said in Routing a bridged LAN connection.:

Does it make sense now ?

Yes, it does and thank you for sharing...seems you have some smart kids. I would never consider using a firewall this way...Steve will help you @stephenw10.

nimrod

Yes, it does and thank you for sharing...seems you have some smart kids.

Thanks, but its not the kids that locked it. Its how the isp is providing their <insert bad word here> service.

I would never consider using a firewall this way...Steve will help you @stephenw10.

I use it just like everybody else. I have a few VPN tunels, few cameras isolated with vlans and pfblocker. This is just attempt to use pfsense for something completely different. And it used to work great with two ports bridged. Now i need different solution.

Meanwhile I did some research, and if i understood correctly, "standard" network traffic routing is done on layer 3, and bridged networks are on layer 2. Layer 2 traffic can not be routed. I hope im wrong.

NollipfSense

@nimrod said in Routing a bridged LAN connection.:

This is just attempt to use pfsense for something completely different.

That's what I like about, very creative solution indeed.

stephenw10

You probably need some additional firewall rules on the bridge (or bridge members) to pass mutlicast traffic. That requires IP options be enabled.
I would expect to see some blocked traffic in the firewall logs.

Steve

nimrod

@stephenw10

Hi Steve.

This is the firewall rule on primary port where ISP modem is plugged in.

This is the firewall rule where IPTV box is plugged in.

And this is the firewall rule on the bridge interface for these two ports.

Again. This configuration used to work perfectly fine. However, my ISP has improved picture and sound quality quite a bit and since then, this configuration is no longer working.

If i do this with dumb switch, it works perfectly fine.

These are the specs of my pfSense box.

I dont understand the part IP options. Can you clarify ?

Thank you.

stephenw10

IP Options is an advanced setting on the rule:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

There are zero states or Bytes on any of those rules so it looks like they are not matching anything.

How do you have the bridge filtering configured?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

Steve

nimrod

@stephenw10 said in Routing a bridged LAN connection.:

IP Options is an advanced setting on the rule:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options

Im on it. Will report back with results.

There are zero states or Bytes on any of those rules so it looks like they are not matching anything.

There are zero states because nothing is connected at the moment. Its all going through dumb switch.

How do you have the bridge filtering configured?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

Steve

This is how its configured now.

nimrod

@stephenw10 again you nailed it.

Just enabling IP Options in the firewall rules did the trick. HD channels are running smooth and i can see A LOT more traffic coming in than before.

Everything runs absolutely perfect now.

Cant thank you enough sir.

Cheers.

NollipfSense

@nimrod said in [SOLVED] Routing a bridged LAN connection.:

Just enabling IP Options in the firewall rules did the trick.

So awesome that this creative use of a firewall is resolved.

nimrod

@nollipfsense said in [SOLVED] Routing a bridged LAN connection.:

@nimrod said in [SOLVED] Routing a bridged LAN connection.:

Just enabling IP Options in the firewall rules did the trick.

So awesome that this creative use of a firewall is resolved.

Oh im not done yet. I want to take this to another level.

The plan is to add another interface into existing iptv pfsense bridge.This interface has a very fast wifi access point connected to it. Cool thing about this ap is that it supports vlans. I can create a new 5ghz ssid and assign a vlan tag to it. This vlan tag will match the vlan tag assigned to iptv bridge in pfsense.

I also have old wifi 6 router that can operate as a wifi client. I want to connect this wifi router to my ap on a vlan tagged 5ghz ssid. If this works, it will give me incredible flexibility. I can just move my iptv box along with my tv anywhere i want. No need to drill holes and create a cable mess.

nimrod

Success !!!!

Here is the configuration for anyone that cares.

This is the interface configuration.

IPTV_VL is the VLAN35 interface on igb5 where my wireless ap is connected to.

IPTV_IN is igb2 port where my dsl modem is connected.

IPTV_BR is the pfsense bridge that bridges VLAN35 on igb5 with igb2.

This is the bridge configuration with its members.

This is the VLAN configuration on igb5 port.

This is the firewall rule on IPTV_VL interface.

Make sure you have IP Options enabled in advanced options in firewall rule. See picture bellow. Thanks once again @stephenw10

Same rule is required for for IPTV_IN interface.

And this is my AP configuration.

AP isolation is enabled.

My old Asus RT-AX86 is set to client mode and connected to IPTV ssid. Iptv box is connected to port 1 (any port will do) and finaly, iptv box is connected via hdmi cable to my TV. And this works flawlessly. No picture hicups, no stuttering or sound corruption.

Firewall rules are controlled by traffic shaper + schedule that i defined.

Once it kicks in, traffic speed between bridged interfaces goes to 1Bit/sec and iptv box reports connection error and shuts off. Smart TV shuts off automatically after 5 minutes because there is no signal on HDMI port.

pfSense working as a router, firewall, vpn, adblocker, and parental control device.

Perfection.

stephenw10

Persistence FTW!