Bridge LAN ports to act like a switch


  • Netgate Administrator

    @balubeto:

    after completing the step 5, I can not longer access my firewall in any way

    You are able to access it after step 4 though?

    If you have locked yourself out of the box for whatever reason, and rebooting does not solve it, you can temporarily disable the firewall from the console. Described here:
    http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

    Once you have access modify your firewall rules to prevent the lockout.

    Steve



  • In practice, after step 4, I have to restart the firewall from the console to perform step 5 via web.

    Instead, after step 5, Windows 7 identifies the connection as a public network unidentified. Then, Internet no longer works and I can not access longer the firewall via web with the IP address 192.168.1.1.

    So, anyone have any idea on how to fix this?

    Thanks

    Bye


  • Netgate Administrator

    Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
    To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

    See: http://forum.pfsense.org/index.php/topic,54666.0.html

    Steve



  • @stephenw10:

    Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
    To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

    See: http://forum.pfsense.org/index.php/topic,54666.0.html

    Steve

    In the Interface: Lan window, I have to insert the MAC address of the network card of the computer or a network card of the firewall?

    Thanks

    Bye


  • Netgate Administrator

    No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

    Steve



  • @stephenw10:

    No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

    Steve

    How do I create a valid MAC address?

    Thanks

    Bye


  • Netgate Administrator

    It simply has to be the correct length of hexidecimal figures. For example you could use: 00:11:22:33:44:55
    That would be obviously fake which is useful to anyone trying to diagnose a problem later.
    See screenshot from my Status: Interfaces: page.

    Steve

    ![bridge status.jpg](/public/imported_attachments/1/bridge status.jpg)
    ![bridge status.jpg_thumb](/public/imported_attachments/1/bridge status.jpg_thumb)



  • @balubeto:

    Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

    In other words, it is possible to have this configuration:

    1. 10.0.0.1          –-> WAN Gateway

    2. 192.168.1.1      ---> LAN Gateway (in order to access the firewall with this IP address)

    3. 192.168.1.254  –-> Bridge0

    If so, how do I do this?

    Thanks

    Bye

    I think you are mis-understanding this. When you create a bridge the NIC doesnt have an IP anymore, the bridge actually has the ip, and the bridge represents any or all of the nic's in the bridge.

    So you will end up like this:

    1. 10.0.0.1          –-> WAN Gateway

    2. 192.168.1.1      ---> Bridge0 / LAN Gateway (in order to access the firewall with this IP address)

    There is no need for an additional IP.



  • I tried to insert a fictitious MAC address to the LAN interface before including it in the Bridged0 but, then, Windows 7 still identify the connection between my computer and the firewall as an unidentified network and thus I have the same problems as before . So when I have to insert this MAC?

    Thanks

    Bye



  • Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.



  • @extide:

    Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.

    No, the problem is that Windows 7 identifies the connection as a public network not identified even if I restart the firewall from console. Unfortunately, Windows 7 does not allow to change the network type, and then I can no longer access the firewall via web and the internet. So, how do I fix this?

    Thanks

    Bye


  • Netgate Administrator

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve



  • Also once you have completed the above steps, you WILL get an 'unidentified network' popup, but once you accept it there it should not come up again.



  • @stephenw10:

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve

    It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

    Thanks

    Bye


  • Netgate Administrator

    You can disable the dhcp server. It won't help though. Unless you have spoofed the MAC on LAN Windows will still see it as a new network.

    Are you using all static IPs.

    Steve



  • @balubeto:

    @stephenw10:

    See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

    You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

    Steve

    It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

    Thanks

    Bye

    You probably don't want to do this. When you make the bridge you are essentially replacing Lan0 and Lan1, and Lan2, etc with Bridge0. Nothing will be running directly on Lan0, 1, etc anymore, everything that WAS running on lan0, 1, etc will now be running on bridge0.

    So, if you previously had DHCP before and would like to keep it you will need to have it enabled. This is not 'another' DHCP server, this is the DHCP server.

    Now, if you were not using DHCP in the first place at all, then yes you would want to disable it.



  • I have found the main problem:

    Starting from the default parameters of pfSense and performing the initial setup to make sure that the LAN and WAN interfaces are working with the type of static address, I tried to insert the MAC address of my computer or a MAC fictitious in the MAC address field of the LAN interface of pfSense. Applying these changes and restarting the firewall from the console, Windows 7 SP1 64-bit identifies the connection as a public network not identified. How come?

    Thanks

    Bye


  • Netgate Administrator

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve



  • @stephenw10:

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve

    the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

    So, how do I change its type?

    Thanks

    Bye



  • @balubeto:

    @stephenw10:

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve

    the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

    So, how do I change its type?

    Thanks

    Bye

    But, after it's set, do the Windows boxes keep notifying you again, later.  From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.



  • @matguy:

    @balubeto:

    @stephenw10:

    Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
    Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

    Steve

    the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

    So, how do I change its type?

    Thanks

    Bye

    But, after it's set, do the Windows boxes keep notifying you again, later.  From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.

    Dropping for a moment the creation of the switch, how do I set a MAC address to the LAN interface preventing Windows 7 from identifying this connection as unidentified public network?

    Thanks

    Bye


  • Netgate Administrator

    If you are not using a bridge at all then you should not have to do anything with the MAC address of the LAN NIC. It will always use the real MAC read fro the card itself. Windows should only ask you once 'what type of network are you connecting to?'.

    Are you still using all statically assigned IPs?

    If it's seeing new networks each time you have a different problem.

    What hardware are you running?

    Steve



  • @stephenw10:

    If you are not using a bridge at all then you should not have to do anything with the MAC address of the LAN NIC. It will always use the real MAC read fro the card itself. Windows should only ask you once 'what type of network are you connecting to?'.

    Are you still using all statically assigned IPs?

    If it's seeing new networks each time you have a different problem.

    What hardware are you running?

    Steve

    I had done the test without bridge only to understand something.

    I always use the static IP.

    My firewall is http://www.firewallhardware.it/en/appliance_utm2.html . By chance, is there some parameters of the BIOS that could cause my problem?

    Thanks

    Bye


  • Netgate Administrator

    Hmm, well there are quite a few people using that Jetway motherboard and your appliance has the nicer Intel daughter board which is said to be very good. No one has reported similar problems.

    At this point you might consider the cause is something different. How many different Windows 7 machines have you tested this with?

    Otherwise please post some screenshots of your not working bridge config. You could post your config.xml after you have removed any information you don't want public, passwords IPs etc. We can get a much clearer idea from that.

    Steve



  • @stephenw10:

    Hmm, well there are quite a few people using that Jetway motherboard and your appliance has the nicer Intel daughter board which is said to be very good. No one has reported similar problems.

    At this point you might consider the cause is something different. How many different Windows 7 machines have you tested this with?

    Otherwise please post some screenshots of your not working bridge config. You could post your config.xml after you have removed any information you don't want public, passwords IPs etc. We can get a much clearer idea from that.

    Steve

    For the moment, I'm trying on 10 Windows 7 machine.

    I can not understand what snapshots you want? Where is the config.xml file? How do I view it?

    Thanks

    Bye


  • LAYER 8 Global Moderator

    "Unfortunately, Windows 7 does not allow to change the network type"

    What?  You can change the network type whenever you want.

    http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html
    http://www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html

    Now are these win 7 boxes part of a domain?



  • @johnpoz:

    "Unfortunately, Windows 7 does not allow to change the network type"

    What?  You can change the network type whenever you want.

    http://www.sevenforums.com/tutorials/43629-network-location-set-home-work-public-network.html
    http://www.sevenforums.com/tutorials/71408-unidentified-networks-set-private-public.html

    Now are these win 7 boxes part of a domain?

    No, the computers are in a workgroup.

    Thanks

    Bye


  • LAYER 8 Global Moderator

    Well then there is no reason why you could not change the type of network your connected too.  And it for sure would have NOTHING to do with pfsense if you couldn't


  • Netgate Administrator

    @balubeto:

    Where is the config.xml file? How do I view it?

    The config.xml file can be obtained using the backup function under Diagnostics: Backup/Restore:
    It contains everything about your pfSense install. Including some stuff you probably don't want to post publically so you should remove that it you do post it here.

    I am confused though.  :-
    Please tell me what state your box is in. Did you get the bridge setup correctly in switch mode? What is working? What is not working?

    Steve



  • @stephenw10:

    @balubeto:

    Where is the config.xml file? How do I view it?

    The config.xml file can be obtained using the backup function under Diagnostics: Backup/Restore:
    It contains everything about your pfSense install. Including some stuff you probably don't want to post publically so you should remove that it you do post it here.

    I am confused though.  :-
    Please tell me what state your box is in. Did you get the bridge setup correctly in switch mode? What is working? What is not working?

    Steve

    I have noticed that, until step 4 of your procedure, my computers can access the firewall and get onto the Internet. While if I perform step 5, I can not do anything more.

    So, I have attached the config.xml configuration file of my firewall so that you can understand where is the problem.

    Also, I noticed that, with this configuration, I can not open the 31950 port even if the firewall log shows that it is open. How come?

    Thanks

    Bye











    config.xml.txt


  • Netgate Administrator

    Ah OK. Thanks for that.
    Two things I notice straight away:

    Your WAN has a /8 subnet which is far too large. It should probably be /24.

    Your WAN address is in a private IP range so you must have 'Block private networks' unchecked in Interfaces: WAN:
    I'm not sure if you have done that already from the config file.
    Edit: Now I see you have have unchecked that so ignore that remark.
    Is your WAN connected to another router? If so you will need to have port 31950 forwarded on that also.

    I see you have not yet added em1 to the bridge, is that because this file is taken after step 4 in my instructions?
    Adding the interface to the bridge as in step 5 should have no effect of the other interfaces. Perhaps you are adding it incorrectly? Is there anything connected to em1?

    I see you have not spoofed the MAC address yet in this file.

    Steve



  • I believe that you need to be using DHCP, otherwise windows will not allow you to change from public network type. However if you set the bridge MAC to the same as the real mac on the NIC then Windows clients should not even know you changed anything.


  • Netgate Administrator

    Really? That would be odd. What public network uses static IPs? If are using static addresses it's almost certain to be a private network.  :-\

    If you set the bridge MAC to one that already exists you will have two devices on the network with the same MAC. Thus will lead to problems.

    Steve



  • Well, it is categorized as a 'Public Network' because that is the most secure profile, however what it is really identified as is "Unidentified Network" I believe this is because it uses the mac address of the DHCP server in order to identify the network.

    You would think it could also use the mac of the default gateway, but I don't believe it does, however I haven't tested this fact.



  • @stephenw10:

    Ah OK. Thanks for that.
    Two things I notice straight away:

    Your WAN has a /8 subnet which is far too large. It should probably be /24.

    Your WAN address is in a private IP range so you must have 'Block private networks' unchecked in Interfaces: WAN:
    I'm not sure if you have done that already from the config file.
    Edit: Now I see you have have unchecked that so ignore that remark.
    Is your WAN connected to another router? If so you will need to have port 31950 forwarded on that also.

    I see you have not yet added em1 to the bridge, is that because this file is taken after step 4 in my instructions?
    Adding the interface to the bridge as in step 5 should have no effect of the other interfaces. Perhaps you are adding it incorrectly? Is there anything connected to em1?

    I see you have not spoofed the MAC address yet in this file.

    Steve

    If I move the LAN interface in the brigde and I set to "none" his configuration type, my computers access no more my firewall and internet (I also tried with a conputer with XP).

    In the WAN, because I have set to 24 its netmask when the its address is 10.0.0.2?

    Connected to the WAN there is a adsl router (10.0.0.1) configured so that all its ports are open. To be sure, as I can test this with the firewall?

    So, where I'm wrong?

    Thanks

    Bye


  • Netgate Administrator

    Ok in step 5 you add the remaining NIC (that was previously assigned as LAN) to the bridge so that you can then use it the same as the other ports. In your case it will be em1. Here is what you should be doing:

    Go to Interfaces: (assign): in the webGUI.
    Click the '+' button to add another interface. It should appear as opt4.
    Use the dropdown selection to set it as em1. It should already be em1 for you as that's the only NIC you have unused.
    Go to Interfaces: OPT4: Click enable, set it as type 'none'. Save and apply.
    Now go to Interfaces: (assign): Bridges: and edit bridge0. Add OPT4 to the bridge. Save and apply.
    Done.  :)

    You can use 10.0.0.2/24 for WAN. That will mean that tries to talk directly to IP addresses ranging 10.0.0.1 to 10.0.0.255. That includes your WANGW address, which is the only address it has to talk to.

    Having ports open on your modem is not enough they need to be forwarded also.
    It is better to have your modem set to bridge mode so that pfSense receives a public IP or if that's not possible you can sometimes use a DMZ connection. I can't really help you with the modem as they are all different. You could test it by connecting a client directly to the modem (at a 10.0.0.X address) and re run the port test.
    Your port forwards and firewall rules in pfSense look good.

    Steve



  • Yeah right now you are in a situation referred to as being "Double NAT" which can cause quite a bit of problems. If you can remove that first layer (which is the 10.0.0.x IP's) and give the pfsense box the real public IP, you will have a lot easier time with things.

    However, this is entirely un-related to setting up the bridge.



  • How do I create the OPT4 interface when my firewall only has 5 network interfaces?

    How do I make sure that my pfSense themselves manage the public IP with an ADSL connection in PPPoA?

    Thanks

    Bye


  • Netgate Administrator

    If you read through your config file you'll see that your em1 NIC is no longer assigned to any interface. You can see that in the webgui as well.

    WAN  em2
    LAN    bridge0
    OPT1  em0
    OPT2  em3
    OPT3  em4

    Hence you can add:

    OPT4  em1

    If you are using an ADSL connection with PPPoA then your modem needs to support PPPoA to PPPoE bridging since pfSense cannot support PPPoA directly. I have that setup with a Draytek V120. What is your modem?

    Steve



  • @stephenw10:

    If you read through your config file you'll see that your em1 NIC is no longer assigned to any interface. You can see that in the webgui as well.

    WAN  em2
    LAN    bridge0
    OPT1  em0
    OPT2  em3
    OPT3  em4

    Hence you can add:

    OPT4  em1

    If you are using an ADSL connection with PPPoA then your modem needs to support PPPoA to PPPoE bridging since pfSense cannot support PPPoA directly. I have that setup with a Draytek V120. What is your modem?

    Steve

    I have an 150Mbps Wireless N ADSL2+ Modem Router http://www.tp-link.it/products/details/?categoryid=219&model=TD-W8951ND . How should I configure it remembering that I have an ADSL connection in PPPoA?

    Thanks

    Bye


Log in to reply