Bridge LAN ports to act like a switch



  • Hi, new user here.
    Just bought a Hacom Mars Twitter (http://www.hacom.net/catalog/mars-twitter-d525-pfsense-appliance)

    The box has 4 gigabit ports, one used as WAN, one used as LAN.
    I want to use the two unused ports as LAN ports, as if they are all part of a switch.

    How would I go about configuring that?

    P.



  • Keep in mind if you want switch-like performance, you'll need a switch instead. If you want to filter traffic between the interfaces and don't mind some reduction in throughput, then bridging is a good way to go.
    http://doc.pfsense.org/index.php/Interface_Bridges
    http://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3F



  • Ok, thank you.
    I'll try to setup a bridge, and see how it performs.

    P.


  • Netgate Administrator

    There's a nice step-by-step guide here:
    http://blog.qcsitter.com/BSDay/index.php?/archives/2-Bridging-the-pfSense-2.x-wireless-divide.html
    It's written specifically for bridging LAN with a WLAN interface so just ignore the wifi specific parts. Also it starts from the very beginning including all the initial pfSense setup which you have obviously already done.

    Steve



  • (still not solved)

    I am trying to build the same configuration. LAN ports are bridged like a switch; normal
    firewall functionality from LAN <> WAN.

    Unfortunately, all the dox talk about bridging between LAN and WAN- which is a nice thing to
    do, but not what is needed.

    When you go to Network -> Interfaces -> Bridges, you have to select 2 interfaces to bridge, and the only two
    options are "LAN" and "WAN".

    How to get Lan0, Lan1, Lan2 onto that list????


  • Netgate Administrator

    @falcon7700:

    How to get Lan0, Lan1, Lan2 onto that list????

    Interfaces have to be both assigned and enabled before they appear in that list.

    There still seem to be loads of questions about this.
    It's quite surprising because you would only ever want to do this if you have a multi-interface and, hence high value, box but have spare interfaces and don't need high performance! You can get much better performance for much less money with a switch and an Atom.  ::)
    Anyway clearly the existing docs are not sufficient.
    The blog post I linked to above pretty much described it perfectly though. (Seems to be off-line now, and not in the way back machine  :()
    Here's what I would do however it depends on how many ports you have available as to the exact procedure.
    I assume you have already setup a WAN interface and a LAN interface and that they are working correctly. Also that you have at least two further unassigned interfaces.
    The final configuration you want is your LAN assigned as bridge0 and bridge0 containing all your additional interfaces. See attached screenshots.

    1. Assign your additional interfaces and enable them with type 'none'. They will come up as OPT1, OPT2 etc.
    2. Switch bridge filtering from the bridge members onto the bridge itself (assuming you don't need to apply firewall rules between devices on the bridge/switch). Go to System: Advanced: System Tunables: and edit the two values.
    Change net.link.bridge.pfil_member to 0.
    Change net.link.bridge.pfil_bridge to 1.
    Apply these changes.
    3. Now create a bridge in Interfaces: (assign): Bridges: and add to it the additional interfaces you just created, you can select multiple interfaces by holding Ctrl. I named the bridge 'Switch Configuration' to remind me how I have configured it.
    4. Now go to Interfaces: (assign) and change the LAN assignment to bridge0. Save and reconnect your ethernet cable to one of the bridge interfaces. It should come back up, however you will want to make sure you have console access before you do this as if you've done something different you could end up locked out!  ;)
    5. Assign the interface that was originally assigned to LAN and enable it with type 'none'. Add it to bridge0 to include it in the 'switch'.

    There is no need to alter the firewall rules for this configuration change since we have changed bridge filtering to be on the bridge itself and bridge0 inherits the LAN rules.

    I just wrote that from memory but I'm testing it now….

    Steve

    Edit: Seems to work mostly. I switched around steps 2 and 3, it seems you have to change the filtering sysctls before you create the bridge. I didn't and had to reboot the box from the console so that the bridge came up with filtering in the correct place.

    ![Switch Interface Assignments.jpg_thumb](/public/imported_attachments/1/Switch Interface Assignments.jpg_thumb)
    ![Switch Interface Assignments.jpg](/public/imported_attachments/1/Switch Interface Assignments.jpg)
    ![Switch Bridge.jpg](/public/imported_attachments/1/Switch Bridge.jpg)
    ![Switch Bridge.jpg_thumb](/public/imported_attachments/1/Switch Bridge.jpg_thumb)



  • Excellent!  Thanks for going through that.

    I had already figured out the assignments and bridge creation- but the filtering tweak
    is new info.

    (I wish someone built a 1U box with an Atom mb and a small switch- how hard would that be????)



  • In step 4, how do I from console to rename the LAN in bridge0 interface and change the configuration type of the bridge0 interface and to add it to the "Switch configuration" bridge?

    When I will connect the computer (with a fixed IP address) to a port of the "Switch configuration" bridge, I will have to change any network parameter to this computer?

    Thanks

    Bye


  • Netgate Administrator

    The instructions are for configuring from the webgui.
    Whilst it's possible to do this from the console it's far more complex.

    Steve



  • @stephenw10:

    The instructions are for configuring from the webgui.
    Whilst it's possible to do this from the console it's far more complex.

    Steve

    So you could better explain the 4 and 5 step?

    Is there a way to avoid having to change the Ethernet port to the step 4?

    If in the step 5 I set the configuration type to "none", all LAN interfaces remain without an IP address. So, how do operate a network device connected to one of these interfaces?

    Thanks

    Bye



  • In step 4 device bridge0 gets all the LAN attributes (including the IP address) when bridge0 is assigned to LAN.

    @balubeto:

    If in the step 5 I set the configuration type to "none", all LAN interfaces remain without an IP address. So, how do operate a network device connected to one of these interfaces?

    But your physical interfaces are members of a bridge and the bridge has an IP address so (effectively) all the bridge members have the bridge IP address.


  • Netgate Administrator

    @balubeto:

    So you could better explain the 4 and 5 step?

    Hmm, I can't see how I can explain it better.
    @stephenw10:

    4. Now go to Interfaces: (assign) and change the LAN assignment to bridge0. Save and reconnect your ethernet cable to one of the bridge interfaces.

    Do that. Make it look like my 2nd screen shot above.

    In step 5 after you have changed the interface assigned to LAN (to Bridge0) you will have a spare interface which can be added to the bridge.

    Steve



  • @wallabybob:

    In step 4 device bridge0 gets all the LAN attributes (including the IP address) when bridge0 is assigned to LAN.

    @balubeto:

    If in the step 5 I set the configuration type to "none", all LAN interfaces remain without an IP address. So, how do operate a network device connected to one of these interfaces?

    But your physical interfaces are members of a bridge and the bridge has an IP address so (effectively) all the bridge members have the bridge IP address.

    Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    In other words, it is possible to have this configuration:

    1. 10.0.0.1           –-> WAN Gateway

    2. 192.168.1.1      ---> LAN Gateway (in order to access the firewall with this IP address)

    3. 192.168.1.254   ---> Bridge0

    If so, how do I do this?

    Thanks

    Bye



  • @balubeto:

    Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    Assuming you followed Steve's instructions, go to web page Interfaces -> LAN, set IP address or other attributes then click on Save (to update the configuration file) and Apply (to update the running system).

    But if you followed Steve's instructions, why do you need to change the IP address?

    If you change the IP address of the pfSense interface on which you are accessing the system I expect you will find it necessary to restart pfSense and then adjust the IP address on the system you are using to access pfSense so that they are both the same IP subnet (get new DHCP lease if the client uses DHCP, change static IP address otherwise).



  • Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    In other words, it is possible to have this configuration:

    1. 10.0.0.1          –-> WAN Gateway

    2. 192.168.1.1      ---> LAN Gateway (in order to access the firewall with this IP address)

    3. 192.168.1.254  –-> Bridge0

    If so, how do I do this?

    Thanks

    Bye



  • @balubeto:

    Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    Why?

    If LAN is assigned to bridge0 and LAN is configured to have IP address 192.168.1.1 then bridge0 gets 192.168.1.1.

    It is possible to assign multiple IP addresses to an interface, but do you really need that?


  • Netgate Administrator

    In your original post, here, you asked about configuring your machine to have 1 WAN port and the other 4 ports configured as a single LAN. That is what I have explained.
    Do you now want to have 1 WAN, 1 LAN and the three other ports configured as a switch? (a different interface)

    Steve



  • I would simply like to create a bridge that joins the 4 network cards in order to create a 192.168.1.x network. I tried to follow the stephenw10 method, but, after completing the step 5, I can not longer access my firewall in any way with my computer that has Windows 7 SP1 64 bit. How come?

    Thanks

    Bye



  • @balubeto:

    after completing the step 5, I can not longer access my firewall in any way with my computer that has Windows 7 SP1 64 bit. How come?

    It is almost impossible to say because you haven't told us exactly what you have done and you haven't told us how you are attempting to access the firewall and what response you are getting.

    1. How are you trying to access the firewall? (ping? web? … ) What response do you get?

    2. Have you tried connecting the Windows system to another port that is a member of the bridge? What response do you get then?

    3. You asked about setting LAN interface to 192.168.1.254 when it was apparently previously set to 192.168.1.1. There was no explanation why you wanted to do this. PERHAPS you didn't quite follow Steve's instructions and have ended up with inconsistencies in your network. In a small number of cases I have found my pFsense sometimes has seemed to need to be rebooted after "significant" changes to IP addresses. Have you rebooted pfSense? Have you verified your Windows system and the pfSense LAN interface are on the same IP subnet?



  • In order for you to accomplish what you wish you have to make changes that will possibly lock you out if you don't think clearly about what you do and how each step will affect the setup.

    Keep in mind that you have to keep a reachable interface at all times.

    When you decide on what LAN subnet you wish to use Id create one of the physical interfaces with another temporary subnet. Build the bridge, give it its address, add the remaining interfaces to it and verify they work, and configure the rest of the firewall from the bridge including adding the final interface that was given the original temporary address. because once you make that interface "none", it will be useless until you add it to the bridge.

    My guess is that unless you left a way to configure via the wan interface that you need to start over.


  • Netgate Administrator

    @balubeto:

    after completing the step 5, I can not longer access my firewall in any way

    You are able to access it after step 4 though?

    If you have locked yourself out of the box for whatever reason, and rebooting does not solve it, you can temporarily disable the firewall from the console. Described here:
    http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

    Once you have access modify your firewall rules to prevent the lockout.

    Steve



  • In practice, after step 4, I have to restart the firewall from the console to perform step 5 via web.

    Instead, after step 5, Windows 7 identifies the connection as a public network unidentified. Then, Internet no longer works and I can not access longer the firewall via web with the IP address 192.168.1.1.

    So, anyone have any idea on how to fix this?

    Thanks

    Bye


  • Netgate Administrator

    Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
    To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

    See: http://forum.pfsense.org/index.php/topic,54666.0.html

    Steve



  • @stephenw10:

    Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
    To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

    See: http://forum.pfsense.org/index.php/topic,54666.0.html

    Steve

    In the Interface: Lan window, I have to insert the MAC address of the network card of the computer or a network card of the firewall?

    Thanks

    Bye


  • Netgate Administrator

    No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

    Steve



  • @stephenw10:

    No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

    Steve

    How do I create a valid MAC address?

    Thanks

    Bye


  • Netgate Administrator

    It simply has to be the correct length of hexidecimal figures. For example you could use: 00:11:22:33:44:55
    That would be obviously fake which is useful to anyone trying to diagnose a problem later.
    See screenshot from my Status: Interfaces: page.

    Steve

    ![bridge status.jpg](/public/imported_attachments/1/bridge status.jpg)
    ![bridge status.jpg_thumb](/public/imported_attachments/1/bridge status.jpg_thumb)



  • @balubeto:

    Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    In other words, it is possible to have this configuration:

    1. 10.0.0.1          –-> WAN Gateway

    2. 192.168.1.1      ---> LAN Gateway (in order to access the firewall with this IP address)

    3. 192.168.1.254  –-> Bridge0

    If so, how do I do this?

    Thanks

    Bye

    I think you are mis-understanding this. When you create a bridge the NIC doesnt have an IP anymore, the bridge actually has the ip, and the bridge represents any or all of the nic's in the bridge.

    So you will end up like this:

    1. 10.0.0.1          –-> WAN Gateway

    2. 192.168.1.1      ---> Bridge0 / LAN Gateway (in order to access the firewall with this IP address)

    There is no need for an additional IP.



  • I tried to insert a fictitious MAC address to the LAN interface before including it in the Bridged0 but, then, Windows 7 still identify the connection between my computer and the firewall as an unidentified network and thus I have the same problems as before . So when I have to insert this MAC?

    Thanks

    Bye



  • Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.



  • @extide:

    Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.

    No, the problem is that Windows 7 identifies the connection as a public network not identified even if I restart the firewall from console. Unfortunately, Windows 7 does not allow to change the network type, and then I can no longer access the firewall via web and the internet. So, how do I fix this?

    Thanks

    Bye


  • Netgate Administrator

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve



  • Also once you have completed the above steps, you WILL get an 'unidentified network' popup, but once you accept it there it should not come up again.



  • @stephenw10:

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve

    It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

    Thanks

    Bye


  • Netgate Administrator

    You can disable the dhcp server. It won't help though. Unless you have spoofed the MAC on LAN Windows will still see it as a new network.

    Are you using all static IPs.

    Steve



  • @balubeto:

    @stephenw10:

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve

    It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

    Thanks

    Bye

    You probably don't want to do this. When you make the bridge you are essentially replacing Lan0 and Lan1, and Lan2, etc with Bridge0. Nothing will be running directly on Lan0, 1, etc anymore, everything that WAS running on lan0, 1, etc will now be running on bridge0.

    So, if you previously had DHCP before and would like to keep it you will need to have it enabled. This is not 'another' DHCP server, this is the DHCP server.

    Now, if you were not using DHCP in the first place at all, then yes you would want to disable it.



  • I have found the main problem:

    Starting from the default parameters of pfSense and performing the initial setup to make sure that the LAN and WAN interfaces are working with the type of static address, I tried to insert the MAC address of my computer or a MAC fictitious in the MAC address field of the LAN interface of pfSense. Applying these changes and restarting the firewall from the console, Windows 7 SP1 64-bit identifies the connection as a public network not identified. How come?

    Thanks

    Bye


  • Netgate Administrator

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve



  • @stephenw10:

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve

    the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

    So, how do I change its type?

    Thanks

    Bye



  • @balubeto:

    @stephenw10:

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve

    the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

    So, how do I change its type?

    Thanks

    Bye

    But, after it's set, do the Windows boxes keep notifying you again, later.  From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.


Log in to reply