VLAN and bridges don't mix?
-
I have a firewall with one WAN port and two LAN ports. The LAN ports are in a bridge to effectively connect two network branches together.
Today I setup VLAN 4 on both LAN ports, created a bridge for them, and setup DHCP on the bridge. My goal was to simply ensure that any tagged traffic coming over either LAN port will be handled appropriately.
Two test endpoints, coming off the same LAN port, pull the right IPs from the VLAN bridge DHCP server and communicate with each other without issue. However, they cannot ping the bridge IP (i.e. gateway/DHCP server IP), nor the LAN IP, nor 8.8.8.8, etc.
(Yes--it makes no sense that they can communicate with the VLAN bridge gateway to pull an IP but then can't ping it.)
For firewall rules, I have a IPv4+6 wildcard protocol/source/dest rule on the bridge. I also have the same on the VLAN interfaces.
Any thoughts on what I'm missing? Seems like this should be a simple/standard setup.
-
To me bridging is not efficient. I would rather use VLANs with local routing. I actually use a layer 3 switch but you don't have to.
-
When I was setting up VMs on my TrueNAS Core (also FreeBSD based) I discovered a limitation of bridging where an interface could bridge untagged trafffic or VLAN tagged traffic, but not both. My ongoing solution has been to move all my untagged traffic onto a tagged VLAN and just assign that VLAN to the various ports on the switch. So none of the downstream devices see the the VLAN tagging, but to the pfsense and truenas everything is tagged. Without looking through your whole setup, I'd bet that's what you're running into.
