Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules, VLAN, Bridges etc.

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 566 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      void0324
      last edited by

      Hi, I've been running a OPNSense firewall before and thought I would checkout pfsense.
      I am struggling right now with a few things, so lets get started.

      I have removed some sensitive Information from my config, but this is basically the config https://pastebin.com/3RFu8yQ5

      My Network has 4 Networks and 3 VLANs.
      MGMT 10.1.1.0/24
      IoT 10.1.10.0/24 VLAN 10
      GREEN 10.1.20.0/24 VLAN 20
      DMZ 10.1.99.0/24 VLAN 99

      I created 4 bridges for MGMT, IoT, GREEN and DMZ, so in MGMT I wanted igb1, igb2, igb3, but here is my main issue ...
      When I add igb1 to the bridge I cannot access any devices in DMZ anymore and those devices cannot access the internet anymore.

      Is there anything I need to do to be able to use igb1 untagged with MGMT and igb1.99 tagged on the same interface?
      igb1 is connected to a cisco switch and the port is set as trunk allowing all VLANs, VLAN 1 is configured with ip address dhcp

      cisco paste, cleaned https://pastebin.com/sSk1GbQL

      My Mac is via Wifi connected to the GREEN Network, but I can freely ping everything on the network. There must be something missing?
      I did change net.link.bridge.pfil_bridge 1 and net.link.bridge.pfil_member 0

      Any help would be greatly appreciated!
      Thanks

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @void0324
        last edited by

        @void0324 said in Firewall Rules, VLAN, Bridges etc.:

        Why did you create 4 bridges.

        V 1 Reply Last reply Reply Quote 0
        • V
          void0324 @Bob.Dig
          last edited by

          @Bob-Dig
          So i can bridge igb1.99 and igb2.99 and the other vlans. And bridge igb1,2,3 as untagged for management.
          Is that not how you do it?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by stephenw10

            It's unclear why you have 3 NICs with the same VLANs on when you have a VLAN capable switch. Are you trying to filter between the three segments in the same subnet perhaps?

            But the reason this fails is that adding a parent NIC to a bridge breaks the VLAN interfaces on it. The reply traffic is captured by the bridge before it can be tagged/untagged.

            https://redmine.pfsense.org/issues/11139

            Steve

            V 1 Reply Last reply Reply Quote 0
            • V
              void0324 @stephenw10
              last edited by

              @stephenw10

              Ah thanks Steve, I had the switch in another room where everything was connected. Did refactor today tho.
              So to understand that right, if I create igb1.99 I cannot use igb1.
              But I can still use the bridge to keep the VLANS together, right?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by stephenw10

                You can use igb1 you just can't add igb1 to a bridge. Though I always prefer not to see tagged and untagged traffic on an NIC if possible because it avoids config errors causing problems.

                Yes, you can still bridge the VLAN interfaces.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.