Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    pfSense its strange 'layered bridges' (and their behavoir)

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    2 Posts 2 Posters 188 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      louis2
      last edited by

      For some VLAN's which do not need high performance I use pfsense its internal bridge option.

      The bridges are used to make the vlan's available in two physical different networks.

      For info I have two more or less separated networks for two reasons:

      • for redundancy, if one network fails, I can still use the other one
      • one is a 10G network the other one a 2.5G / 1G network

      For that reason, for instance the management vlan is connected to both networks where each network is connected with pfSense via a trunk.

      The intention is of course that the whole thing behaves as one logical vlan.

      However pfSense its bridge implementation is to say at least(!) weird.

      Where you would expect that the 'members' to assign to a certain bridge are earlier defined vlan's, in the actual situations it are 'pfSense interfaces'.

      This has three very strange complications:

      • you have to define a 'dumy vlan related interface' for each network to tie up to a bridge
      • than you have to define a 'second layer interface' based on the created bridge
      • you need to allow the 'network related dummy interfaces to communicate with each other

      Starting with the last point, I did run into that one yesterday, * without that allow rule:

      • you can reach both networks from some another vlan (if allowed)
      • and each 'bridge dummy vlan' can reach the internet (if allowed)
      • however 'dummy vlan1' can not reach 'dummy vlan2'

      Here some pictures to make the situation 'visible'

      08f1dfd4-aebe-411f-b1f9-9f4b89674f42-image.png

      ac4ff4f1-625b-4e04-8e85-1b6c16cac31f-image.png

      9f6360a3-a44b-41b3-926c-f5f9219b9e0e-image.png

      a24ddb6e-a359-4299-bf57-8a33de9d659a-image.png

      Of course this is not an elegant solution IMHO. The Bridge should tie vlan's together not 'pfsense-interfaces'

      N 1 Reply Last reply Reply Quote 0
      • N Offline
        netblues @louis2
        last edited by

        @louis2 Why?

        Bridges bridge Interfaces.

        Vlans in pfsense are not interfaces.

        So yes, it takes a few more steps, but it works.

        And as a matter of fact is also performant.

        You can also try vxlan if you wish which is a new feature in pf plus.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.