HOW TO - EASY (wireless) bridge configuration in 2.0

gnhb

–----------------- Updated May 2, 2010 ----------------
SKIP DOWN to my next POST to see step by step instructions

Hello All,

I read this post http://forum.pfsense.org/index.php/topic,12101.0.html titled "wireless not giving IP when bridged with LAN" and it took me a long time to figure out how to implement it on my box, so I offer this clarification.

I'm running 2.0-ALPHA-ALPHA-nanobsd built on Sept 15th, 2009 on an ALIX 2D3 board.

I have attached below an image of my "interfaces assign" page from the web GUI. This setup defines OPT1 (renamed WLAN) as my wireless interface, OPT2 as one of my 10/100 interfaces.
The bridge interface includes OPT1 and OPT2.
I didn't have to create ANY new firewall rules for this to operate smoothly. Clients on the wired LAN or WLAN can get to the internet and can get to each other.

The second image is from the System => Advanced => System Tunables page.
The DHCP server setting are unchanged from the default settings (running on the LAN interface.)

GNB

![Untitled Image.jpg](/public/imported_attachments/1/Untitled Image.jpg)
![Untitled Image.jpg_thumb](/public/imported_attachments/1/Untitled Image.jpg_thumb)

system_advanced_tunables.jpg_thumb

grantemsley

I've been trying to duplicate this for most of the day.
Following your instructions, I was able to get DHCP addresses from both the wifi and lan, however neither could connect to anything - they couldn't even ping the pfsense box.

Does this still work on the latest (as of yesterday) beta?

gnhb

Hi,

Yes, it still works. I'm on a snapshot from April 18th. I'll be testing the May 1st 2G Nano snapshot in the next hour.

Here's the procedure I use to create the bridge interface and assign it to the LAN port. This procedure doesn't cause you to loose connectivity to the GUI or have to monkey around with assigning IP addresses to other ports temporarily.

Assume we're starting with these interface definitions:
WAN -> fx0
LAN -> fx1
OPT1 -> ath0
Also, assume that the DHCP server is already enabled on the LAN interface and is running.

1. On Interfaces Assign page create another OPT interface called OPT2 (create more than one if you want to bridge physical ports too - we'll call any additional ports OPTx.)
2. Assign a physical port or a vlan port, or a PPP port to OPT2 just as a place holder.
2a. Assign physical ports to the other OPTx interfaces you've created.
3. Go to the Interfaces -> OPT2 page and click the "Enable" checkbox. (Repeat for all OPTx interfaces.)
4. Go to the Interfaces -> (assign) page and click on the "Bridge" tab.
5. Select OPT1, OPT2, OPTx (if you created additional ports for the bridge) to be members of the bridge interface and Save.
6. Go to Interfaces -> (assign) page again and select "BRIDGE0" for the LAN interface, and select the fx1 port (formerly assigned to LAN) for the OPT2 interface and Save.

Now we have these interface definitions.
WAN -> fx0
LAN -> BRIDGE0
OPT1 -> ath0
OPT2 -> fx1
OPTx -> <whatever else="" you="" want="">7. Go to the System -> Advanced -> System Tunables page and make it look like the pic I posted earlier.

No loss of connectivity to the GUI or the router will occur during this procedure.
You DON'T need ANY new firewall rules for this to operate smoothly.
Clients on the wired LAN or WLAN can get addresses from DHCP and can get to the internet (WAN) and can get to each other. (However, be sure to set up your wireless config properly. There is a checkbox in wireless config that allows or prevents wireless clients from seeing each other.)

Hope it works for you.

GB</whatever>

grantemsley

Thank you so much for posting this. I got it working following those instructions.

Efonnes

Just wanted to note that if you have an extra interface that you are keeping out of the bridge, the bridge configuration is easier if you access the web GUI over that interface instead of accessing it over an interface you are going to put into the bridge. This way there is no chance you will lose access to the web GUI before you finish the configuration.

spiritbreaker

Hi,

thx about ur little Tutorial.

According to ur system tuneable settings…u need only to set Spanning tree on LAN interface or
u still need to set it on Memberinterfaces or all Members and LAN (bridge0)?

Cya

danswartz

I would be surprised if spanning tree needs to be on - usually it is a mistake to have it on in most configurations, as it can slow down how long ports take to be usable, for no gain.

Rick164

How does one get traffic shaping to work on both LAN and WiFi?
Because you can only make a shaping config for LAN and WiFi seperately and not the wireless bridge(Bridge0 for instance), this results in them getting seperate queues which means line saturation/usage is not shared between those 2.

jrussell05

Followed this tutorial. I have 4 Lan ports bridged to LAN.

I can access the internet from all of my devices connected to the ports and I can access each device from the WAN. However, the devices can't talk to each other. I have even tried adding firewall rules to each of the individual interfaces.

Any suggestions.

wallabybob

@jrussell05:

Followed this tutorial. I have 4 Lan ports bridged to LAN.

. . .

If this is still an issue I suggest you start a new topic. I suspect it might have got lost in the sticky topic with wireless in the title. I usually don't even look at the sticky topics because they don't tend to change much.

Efonnes

I just wanted to add a note that for this type of bridge configuration, sometimes it is useful to assign a MAC address to the bridge interface. Normally it just gets a random MAC, but this behavior will cause some client systems to notify that you are connecting to a new network or router every time it gets a new random MAC (each time you boot up the router), potentially requiring some kind of firewall setup steps for the new network. Setting a fixed MAC address on the bridge interface resolves this (MAC address on bridge members is ignored in the type of setup this topic is about).

Bai Shen

I just tried this, and it hung at step 6. I had to use the local console to reset my interfaces.

Also, I don't see a picture showing the Advanced changes that need to be made.

romainp

Hi,
I have tried that setup with some differences and can't make it work…
My goal is to:

have a wireless with a vlan tag (not the wifi interface but with a bridge based on the lan interface)
have a dhcp server for the wifi network

For what I understand, I need to

LAN -> BRIDGE0 -> vlan100 on em1 -> em1
-> em2 (the phy interface exist but will not be used, just for the bridge to work)

dhcp enable on LAN

and

WIFI -> BRIDGE1 -> vlan200 en em1 -> em1
-> ath0

dhcp on WIFI interface

Does this make sense? Any advices to make this setup work?

Thanks

wallabybob

@romainp:

My goal is to:

have a wireless with a vlan tag (not the wifi interface but with a bridge based on the lan interface)

If I recall correctly this is not supported: I don't think FreeBSD supports VLANs on any wireless interface. (Feel free to check the FreeBSD vlan man page.)

In pfSense 2.0 there is support for multiple wireless networks on a single physical interface, provided the interface driver supports that. (Some drivers do support it and some don't.)

What are you trying to accomplish by this combination?

romainp

In fact I do not try to tag the wifi ath0 interface but tag the lan interface and use it with a bridge to have my wifi tagged this way. I managed to make it works with 1.2.3 but I can't in RC1.
My goal is to

tag with a vlan my lan and wifi traffic and have a dhcp server that deliver ips for the wifi and lan network with differents addresses.

Hope it's clearer.

wallabybob

Some possible problems with this sort of configuration: when forwarding from VLAN to wireless does the bridge strip the VLAN tag? If wireless client sees a VLAN tag in an incoming frame does it ignore the VLAN altogether (and process the frame) or does it ignore the frame on the grounds of "I don't support VLANs so this mustn't be for me"? When forwarding from wireless to VLAN should the bridge add a VLAN tag? If it doesn't how will the frame be processed at the receiving end?

Neither the FreeBSD vlan man page nor the bridge man page say what the bridge will do to VLAN tags when you bridge a VLAN and non-VLAN so I would guess the FreBSD developers might feel free to change the behaviour at any time and not feel a need to document the change.

I think you will be on much firmer ground if you don't mix VLAN and non VLAN interfaces on a bridge.

romainp

Hi,
Thanks for those very good advices and they all make sense.
Since I have question:

If I configure one port of my vlan capable switch to only accept vlan traffic, then wireless devices could not connect to the hosts that are filtered by the switch..
Any suggestion?
A big thank for your help.
Romain

wallabybob

@romainp:

If I configure one port of my vlan capable switch to only accept vlan traffic, then wireless devices could not connect to the hosts that are filtered by the switch..

Sorry, I don't understand this description.

Here's a simplified concept description of my configuration. Perhaps this will help.

I have a ProCurve 1700-8 VLAN capable switch.

My pfSense box has physical interfaces ath0 (Wireless LAN), vr0 (LAN) and rl0. ath0 and vr0 are bridged. On rl0 I have VLANS with IDs 10 and 15. rl0 connects to port 7 on the switch. port 7 on the switch is configured as a member of VLAN 10 and VLAN 15. port 6 on the switch is the only other member of VLAN 10 and that connects to my ADSL modem. port 3 on the switch is the only other member of VLAN 15 and connects to a server. My WAN interface is pppoe on vlan 10 on rl0. My OPT3 (DMZ) interface is vlan 15 on rl0.

The switch ports are configured:
port 3 VLAN Aware Enabled=NO Ingress Filtering enabled=NO Packet Type=ALL PVID=15
port 6 VLAN Aware Enabled=NO Ingress Filtering enabled=NO Packet Type=ALL PVID=10
port 7 VLAN Aware Enabled=YES Ingress Filtering enabled=NO Packet Type=Tagged PVID=None

romainp

Thanks for for comments
I use at home a ProCurve 1800-8G

I have a ProCurve 1700-8 VLAN capable switch.

My pfSense box has physical interfaces ath0 (Wireless LAN), vr0 (LAN) and rl0. ath0 and vr0 are bridged. On rl0 I have VLANS with IDs 10 and 15. rl0 connects to port 7 on the switch. port 7 on the switch is configured as a member of VLAN 10 and VLAN 15. port 6 on the switch is the only other member of VLAN 10 and that connects to my ADSL modem. port 3 on the switch is the only other member of VLAN 15 and connects to a server. My WAN interface is pppoe on vlan 10 on rl0. My OPT3 (DMZ) interface is vlan 15 on rl0.

The switch ports are configured:
port 3 VLAN Aware Enabled=NO Ingress Filtering enabled=NO Packet Type=ALL PVID=15
port 6 VLAN Aware Enabled=NO Ingress Filtering enabled=NO Packet Type=ALL PVID=10
port 7 VLAN Aware Enabled=YES Ingress Filtering enabled=NO Packet Type=Tagged PVID=None

Ok I have read several times your post and still do not understand all the subtilities… Myabe because englsih is not my mother tongue ;-)

Let me resume:

ath0 and lan (vr0) are bridge. Fine. dhcp should gives IP for LAN and wifi. But no vlan here
Your WAN is vlan 10 or rl0
You also have have an interface for vlan15 on rl0 (DMZ)
But where your LAN (vr0) connects on the switch?
Is your wifi traffic tagged by the switch and are you able to go to your vlan'ed machines/servers with your wireless connection?

Thanks again for your precious advices

wallabybob

@romainp:

ath0 and lan (vr0) are bridge. Fine. dhcp should gives IP for LAN and wifi. But no vlan here
Your WAN is vlan 10 or rl0
You also have have an interface for vlan15 on rl0 (DMZ)

Correct.

@romainp:

But where your LAN (vr0) connects on the switch?

LAN doesn't use VLANs at all. The pfSense LAN port connect to a separate switch which is not VLAN capable.

@romainp:

Is your wifi traffic tagged by the switch and are you able to go to your vlan'ed machines/servers with your wireless connection?

No and yes.