General Setup Help
-
I've been working on this for 10 hours and I just can't figure it out.
This is my hardware setup:
1. Motherboard ethernet (re0)
2. PCIE 6 connection ethernet card (em0, em1, em2, em3, em4, em5)
3. PCIE Wireless card (ath0)Essentially, I want to use pfsense as a wireless router.
This is what I have for assignments:
WAN: re0
LAN1: em0
LAN2: em1
LAN3: em2
LAN4: em3
LAN5: em4
LAN6: em5
WLAN: ath01. I would like WAN to be the internet connection.
2. LAN1, LAN2, LAN3, LAN4, LAN5, LAN6 and WLAN to be on the same DHCP server and be able to communicate together. (i.e. 192.168.1.10 - 192.168.1.100).
3. I would like the web interface to be accessible through 192.168.1.1How can I accomplish this? Bridge, VLAN? I have no clue.
Thanks in advance.
-
1. I would like WLAN to be the internet connection.
Is WLAN a typing error? Did you mean WAN (re0) instead of WLAN (ath0)?
I suspect you want to form a number of interfaces into a bridge though it is unclear to me exactly which interfaces.
Are you aware that you are unlikely to be able to have communication across all those interfaces at line rate concurrently? For high bandwidth requirements a switch would be a much more effective solution.
-
1. I would like WLAN to be the internet connection.
Is WLAN a typing error? Did you mean WAN (re0) instead of WLAN (ath0)?
Yes that is a typo. I edited the original post.
-
I suspect you want to form a number of interfaces into a bridge though it is unclear to me exactly which interfaces.
Is it possible to do a bridge for LAN1, LAN2, LAN3, LAN4, LAN5, LAN6, WLAN?
Are you aware that you are unlikely to be able to have communication across all those interfaces at line rate concurrently? For high bandwidth requirements a switch would be a much more effective solution.
I was not aware. What best way to set this up as is?
-
I was not aware. What best way to set this up as is?
Depends on your requirements. If you need filtering between the interfaces, what you're describing with bridging is your best bet. But you're not going to get multi-Gbps throughput most likely (you didn't mention specs of the system), and at a minimum, you'll have some degradation of performance compared to a switch because you're applying filtering to everything on every port. Whether it matters or is even measurable in your circumstances depends. Generally you're best served by having a switch on LAN if it's a typical home or office LAN, what you're describing is more desirable than a switch in some other circumstances.
-
@cmb:
I was not aware. What best way to set this up as is?
Depends on your requirements. If you need filtering between the interfaces, what you're describing with bridging is your best bet. But you're not going to get multi-Gbps throughput most likely (you didn't mention specs of the system), and at a minimum, you'll have some degradation of performance compared to a switch because you're applying filtering to everything on every port. Whether it matters or is even measurable in your circumstances depends. Generally you're best served by having a switch on LAN if it's a typical home or office LAN, what you're describing is more desirable than a switch in some other circumstances.
Thanks for the information. This is setup for home but I'm going to be running a media server and apache web server. I will be having max 7 wifi clients.
These are the specs:
Internet: 30MBps Down, 5MBps Upre0 = 1GBps, Motherboard
em0,em1,em2,em3,em4,em5 = 1GBps PCIE 1.0 x8.
ath0 = 802.11N but setup as 802.11g until pfsense 2.2 (freebsd 9.0). Its PCIE x1 (Dlink DWA-556)CPU = Intel(R) Celeron(R) CPU G530 @ 2.40GHz. Sandy Bridge
RAM = 4GB
Motherboard chipset = H61
SSD = 2x 32GB SSD. Software Raid 1It's a reasonably quick system.
Would you still recommend a bridge?
If so, could you list the assignments? (and IPv4 Configuration Type - None or Static (if so, what would it be?))
Would the bridge run the DHCP?
-
OK, I'll have a go at writing instructions to configure a bridge. But what is the starting point? Have installed pfSense but not yet configured the interfaces? Have you used the web GUI to configure interfaces and have pfSense names assigned for all the hardware interfaces?
-
OK, I'll have a go at writing instructions to configure a bridge. But what is the starting point? Have installed pfSense but not yet configured the interfaces? Have you used the web GUI to configure interfaces and have pfSense names assigned for all the hardware interfaces?
Thank you. I really appreciate the help.
I have it installed and connected to the web interface. I have 2 monitors and keyboards so that if I mess it up, I can reset everything from the pfsense box.
-
Here is my suggestion for configuring a bridge to act as the LAN interface on your pfSense box. Please read them through nd ask about anything you don't understand. I suggest you don't do this until you understand what is being suggested. I haven't tested this so I may have inadvertently left out a details or two.
It appears you don't have a LAN interface. We'll make the new bridge the LAN interface. The pfSense LAN interface is special in that it has default firewall rules allowing access anywhere.
It is not clear which interface has a configured IP address and DHCP server. I'll call this interface LANx in this description. I believe you could leave the IP address and DHCP on LANx and everything should work BUT this is likely to result in DHCP server reporting the wrong interface in its log (e.g. DHCP request on em1 when it actually was received on ath0 which is bridged to em1) so I am suggesting the IP address and DHCP server be moved to the bridge interface.
You should have access to the physical console so you can request a reboot if anything goes wrong with access to the web GUI.
This procedure saves a number of changes to the configuration file but doesn't apply those changes to the running system so as to reduce the likelihood of getting the running system into a confused state.
1. Backup your configuration (Diagnostics-> Backup/Restore )
2. On System -> Advanced click on System Tunables and change net.link.bridge.pfil_bridge to 1 and net.link.bridge.pfil_member to 0. (This changes the default behaviour to that of enabling firewall rule rule processing on the bridge interface and disabling it on each interface of a bridge member. This is probably what you want.) Click Save and DON'T Apply Changes.
3. Check all the interfaces that are to be bridge members have Type=None EXCEPT for LANx. (At most one bridge member can have an IP address.)
4. Create a bridge interface (Interfaces -> (assign) and click on the Bridges tab, then click on the + button.) In the Member Interfaces box select the LAN1, LAN2, LAN3, LAN4, LAN5, LAN6 and WLAN interfaces by holding the Ctrl key on your keyboard and clicking each one. Put in a helpful description and click the Save button.
5. On Interfaces -> (assign) there should be a + button on the lower right to indicate there is a system interface which has not been assigned a pfSense name. Click on the "+" and note the name of the new assignment. It should be something like OPT7. I'll call it OPTx.
6. On Interfaces -> OPTx tick the Enable box and the Save button. Hereafter don't Apply Changes since the changes should be applied only to the configuration file (to take effect on the next boot) and shouldn't be applied to the currently running configuration.
7. On Interfaces -> LANx change the name to LAN and Save.
8. On Interfaces -> (assign) click the Interface Assignments tab, note the Network Port for the LAN interface, use the pulldown to change the Network Port for LAN to bridge0 AND change the network Port for OPTx to that previously used for the LAN interface then click Save.
9. On Interfaces -> _OPTx_change the name to LANx (the previous name of the interface with IP address and enabled DHCP server) and click Save.
10. Check the members of the bridge interface: Interfaces -> (assign), click on Bridges tab.
11. Reboot and test.
You might also like to read http://blog.qcsitter.com/BSDay/index.php?/archives/2-Bridging-the-pfSense-2.x-wireless-divide.html for another take on the challenge on creating bridges in pfSense.
-
Thank you very much for your help.
Unfortunately it still isn't working. I have tried what you suggested previously but it didn't work either.
This is the configuration that I ended up with that didn't work.
WAN (wan) -> re0 -> 72.xx.xx.xx DHCP
LAN (lan) -> bridge1 -> 192.168.1.1
LAN1 (opt1) -> em1 -> NONE
LAN2 (opt2) -> em2 -> NONE
LAN3 (opt3) -> em3 -> NONE
LAN4 (opt4) -> em4 -> NONE
LAN5 (opt5) -> em5 -> NONE
LAN6 (opt6) -> em6 -> NONE
WLAN (opt7) -> ath0 -> NONEbridge1:
LAN1,LAN2,LAN3,LAN4,LAN5,LAN6,WLAN
DHCP 192.168.1.10-192.168.1.100Did I do anything wrong?
-
Unfortunately it still isn't working. I have tried what you suggested previously but it didn't work either.
To get further help from me you will need to me much more specific about what isn't working - my telepathic skills are particularly poor. Clearly something on the system is working because:
1. My last instruction was "Reboot and test" which will have cleared the IP address on the WAN interface.
2. The WAN interface now has an IP address.A report along the lines of "I did … and ... happened but I expected ... to happen." would at least be a bit more useful than "It doesn't work".
Have you engaged in any troubleshooting? If so, what have you investigated and what have you found?
-
When I say it doesn't work, I mean that none of the ethernet connections connect. They aren't assigned IPs by the DHCP. If I assign an IP manually, it doesn't connect either.
After hours of testing, I finally got a configuration that seems to work. All connections are getting IPs like 192.168.1.10, 192.168.1.11, 192.168.1.12, etc.
This is what works.
WAN (wan) -> re0 -> 72.xx.xx.xx DHCP
LAN (lan) -> bridge1 -> 192.168.1.1
LAN1 (opt1) -> em1 -> 192.168.2.1
LAN2 (opt2) -> em2 -> 192.168.3.1
LAN3 (opt3) -> em3 -> 192.168.4.1
LAN4 (opt4) -> em4 -> 192.168.5.1
LAN5 (opt5) -> em5 -> 192.168.6.1
LAN6 (opt6) -> em6 -> 192.168.7.1
WLAN (opt7) -> ath0 -> 192.168.8.1bridge1:
LAN1,LAN2,LAN3,LAN4,LAN5,LAN6,WLAN
DHCP 192.168.1.10-192.168.1.100What do you think of the configuration?
-
What do you think of the configuration?
You shouldn't need to have IP addresses on any of the interfaces except WAN and LAN.
I'm a bit surprised there is a bridge1 in that the first bridge is normally bridge0. Maybe there is a bridge0 hanging around from previous experimentation. Please provide the output of pfSense shell command: ifconfig
After hours of testing, I finally got a configuration that seems to work. All connections are getting IPs like 192.168.1.10, 192.168.1.11, 192.168.1.12, etc.
Have you tested across a number of pfSense interfaces or only a few? On what interface does DHCP server report that it received DHCP requests? (See Status -> System Logs, click on DHCP tab)?
I have only ever created a two member bridge. Maybe there are some scaling issues. On my system only the bridge interface has an IP address, neither of its members have an IP address.
I notice my instructions didn't say to enable all the LANx and WLAN interfaces. Perhaps they weren't enabled initially (or even one wasn't initially enabled) and then became enabled in your subsequent changes.
-
What do you think of the configuration?
You shouldn't need to have IP addresses on any of the interfaces except WAN and LAN.
I'm a bit surprised there is a bridge1 in that the first bridge is normally bridge0. Maybe there is a bridge0 hanging around from previous experimentation. Please provide the output of pfSense shell command: ifconfig
Yes, I have reverted back to bridge0.
I have played around with this for at least another 6 hours in every combination. I can't get it to DHCP across NICs. My previous setup no longer works (same description for what doesn't work in previous post).I am extremely frustrated and have tried every combination I can think of. I even tried bridging in the WAN since its on a different NIC. I don't know what else to try.
-
wallabybob - I finally figure it out. Thank you very much for your help. It is greatly appreciated.
Now I have to figure out how to setup the firewall rules…
-
wallabybob - I finally figure it out.
Thanks for reporting back. What was the key? Was there something missing from the instructions or something unclear?
-
wallabybob - I finally figure it out.
Thanks for reporting back. What was the key? Was there something missing from the instructions or something unclear?
I'm not exactly sure. I have it setup as you suggested but it's really sensitive to changes. I have already had to go back to the original settings to get it working after a reboot (I've been changing firewall rules and adding packages.)
I'll post the final settings when I get everything setup as I want it.
-
Update: I set up 4 static IP DHCP leases under the bridge and it stopped working. After playing around and changing the wireless adapter to 802.11b (from 802.11g), it fixed the problem. When I rebooted and tried to go back to 802.11g, it stopped working again. I don't know if this is a bug but this may have been my problem all along. I played with lots of different combinations before I got the whole setup to work. It's worth noting that 802.11g has worked in the past under different settings.
I don't think my wireless adapter is fully/properly supported (DLINK DWA-556). It's an 802.11n wireless adapter. I guess I'm just going to have to wait for v2.2 before everything will work as it should.
-
I'm surprised it works as 'b' and not 'g'.
Have you tried one of the 2.1 snapshots?In fact the DWA-556 is the one card that is listed as working!
Steve
-
I'm surprised it works as 'b' and not 'g'.
Have you tried one of the 2.1 snapshots?In fact the DWA-556 is the one card that is listed as working!
Steve
Yes, I'm getting strange and inconsistent results. How can setting up static DHCP IP address (using MAC addresses) stop the wireless from connecting? Why does it get fixed when I change the wireless settings?
I'm wondering if I should set up a firewall rule to force the DHCP port on all my bridge interfaces to go to the LAN interface (bridge). I think it's port 67 or 68. Right now I have firewall rules on every interface wide open.
Any advice would be appreciated.
-
I would still be suspicious of your slightly odd bridge setup. ;)
Try taking the wifi interface out of the bridge as a test.
Steve
-
I would still be suspicious of your slightly odd bridge setup. ;)
Try taking the wifi interface out of the bridge as a test.
Steve
Imagine my 6 port NIC had 1 port. How odd would it be then?
-WLAN on montherboard
-PCIE Adapter
-PCIE Wireless Adapter
-Bridge the 2 PCIE adaptersI'm sure lots of people have the above setup.
Thanks. I'm certain the wireless adapter is the problem. I'm just not sure what to do about it.
-
The odd thing about your bridge is not the six channel NIC it's the fact that you have a different subnet on each interface whilst they are all bridged together.
I think you have a danger of getting routing issues. If a packet arrives at em1 with destination em2 subnet then it can reach it either via the bridge (which will happen as all traffic is passed over the bridge) or be routed by pfSense to em2 which will also happen. Problem, possibly.You should really have it as Wallabybob laid out in his earlier post.
Did you ever set the sysctrls to move firewalling from bridge members to the bridge interface?
Steve
Edit: Actually I'm a bit confused about how you ended up configuring it. ???
-
The odd thing about your bridge is not the six channel NIC it's the fact that you have a different subnet on each interface whilst they are all bridged together.
I think you have a danger of getting routing issues. If a packet arrives at em1 with destination em2 subnet then it can reach it either via the bridge (which will happen as all traffic is passed over the bridge) or be routed by pfSense to em2 which will also happen. Problem, possibly.You should really have it as Wallabybob laid out in his earlier post.
Did you ever set the sysctrls to move firewalling from bridge members to the bridge interface?
Steve
Steve, I mentioned in a later post that I have it set up as wallabybob suggested. But it only works properly some of the time.
-The 6 channels and the WLAN are setup as Type (IPv4)="None".
-LAN = bridge0
-bridge0 has the 6 channels and the WLAN
-Only the LAN (bridge0) has Type=Static -> 192.168.1.1/24.
-Only the LAN (bridge0) is running a DHCP server 192.168.1.10 - 192.168.1.100
-I have 3 devices from the 6 port NIC set up as static under the bridge0 DHCP server. 192.168.1.2, 192.168.1.3, 192.168.1.4
-I have 3 devices from the WLAN set up as static under the bridge0 DHCP server. 192.168.1.5, 192.168.1.6, 192.168.1.7
-Firewall rules have been added to each interface and are wide open
-net.link.bridge.pfil_bridge is 1 and net.link.bridge.pfil_member is 0Sometimes when I make a small change and then reboot (i.e. assigning static DHCP), nothing will connect or get an IP assigned by the DHCP server. I have found that the fix is to change em0 to Type=Static -> 192.168.2.1 (no DHCP server). Then everything will reconnect and go back to their original setup including getting the right static IP assigned. If I change em0 to Type="None" and then save/apply, everything keeps working until I reboot.
Do you have any idea what's going on? Are there logs I can post that would help?
Thanks for your input.
-
See I told you I was confused! ::)
The only thing I can see is that you have open firewall rules on each interface but with net.link.bridge.pfil_member=0 you shouldn't need any rules on the member interfaces. I wonder if that may be an untested situation, rules set but filtering disabled? I doubt it.
You should certainly check the firewall logs however it will only show traffic that is blocked by the default block rule. Any traffic that is caught by one of your rules will not be shown unless you have ticked the 'Log packets that are handled by this rule' check box. Thus if, for what ever reason, you have rules that are catching traffic and routing it incorrectly you won't see that.
Since there is some suspicion over the wifi interface it would be a useful test to remove that from the bridge and see how that alters the behaviour.
Steve
-
See I told you I was confused! ::)
The only thing I can see is that you have open firewall rules on each interface but with net.link.bridge.pfil_member=0 you shouldn't need any rules on the member interfaces. I wonder if that may be an untested situation, rules set but filtering disabled? I doubt it.
You should certainly check the firewall logs however it will only show traffic that is blocked by the default block rule. Any traffic that is caught by one of your rules will not be shown unless you have ticked the 'Log packets that are handled by this rule' check box. Thus if, for what ever reason, you have rules that are catching traffic and routing it incorrectly you won't see that.
Since there is some suspicion over the wifi interface it would be a useful test to remove that from the bridge and see how that alters the behaviour.
Steve
Ok thank you. I will try that and post the results.
-
Also check the system log (Status -> System Logs) for interface events around the time the problem first appears.
-
I figured out the wireless problem. It turns out that the automatic channel feature is not working. I was getting tons of stuck beacons and it would eventually stop working. The solution was to look at the channels used and force a channel (in this case channel 3 was open). 802.11b was working fine because it wasn't being used by my neighbors.
Thanks everyone for the help. My general setup is working. Now I'm working on setting up packages and firewall rules, NAT, etc.
