Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocking traffic from LAN to WLAN on bridged network

    Firewalling
    1
    2
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jvallery
      last edited by

      Hi All,

      My pfsense has 4 physical NICs and this is how they are connected:

      1. WAN1 -  Outbound to ISP1
      2. WAN2 -  Outbound to ISP2
      3. LAN - Connected to internal network switch
      4. WLAN - Connected to Wireless AP

      My wireless AP has the capability of VLAN tagging with multi SSID.  My goal is to have 2 wireless networks (internal and guest) and route those to two separate interfaces in pfsense to apply firewall rules and traffic throttling independent.  At this point I'm just trying to get a basic configuration working however.

      Currently I've setup a new bridge0 which combines LAN and WLAN.  My interfaces are configured as follows:

      BRIDGE- 192.168.1.1
      LAN - 192.168.1.1 (this seemed odd to me that two interfaces have the same IP but the guide I was following said this was the way to do it)
      WLAN - none

      I've setup DHCPD to run on bridge0.  I've setup a firewall rule that allows all traffic to/from bridge0 to pass.  I've setup firewall rules on LAN and WLAN to allow all traffic to bridge0.  I've set net.link.bridge.pfil_bridge to 1.  I've set a static IP address for my wireless AP in the correct subnet.

      What I've got right now is that clients can get an IP address from either the wireless network or from the wired network in the correct subnet from DHCP.  Clients on the LAN interface can connect to the internet.  Clients on the WLAN interface can only ping the gateway but no other devices on the network (nor access the internet).  Clients on the LAN cannot ping clients on the wireless network nor the wireless AP.

      So…  I feel like I'm really close in getting this working the way I want but I'm missing a firewall rule.  What haven't I thought of?

      Second question -- once this is working is it just a matter of adding in the VLAN interfaces and swapping them out and creating a new guest wireless interface?

      1 Reply Last reply Reply Quote 0
      • J
        jvallery
        last edited by

        After banging my head on this for far longer than I should have I realized the problem is that I'm doing this virtual.  My pFsense box is running on Vmware ESXi 5.0.  I didn't realize I needed to set my virtual switch into promiscuous mode in order for bridging to work properly.  After allowing promiscuous mode everything started working great!  Painful lesson learned in terms of time loss so hopefully someone else can avoid it by finding this post.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.