Bridge LAN ports to act like a switch

stephenw10

@balubeto:

after completing the step 5, I can not longer access my firewall in any way

You are able to access it after step 4 though?

If you have locked yourself out of the box for whatever reason, and rebooting does not solve it, you can temporarily disable the firewall from the console. Described here:
http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

Once you have access modify your firewall rules to prevent the lockout.

Steve

balubeto

In practice, after step 4, I have to restart the firewall from the console to perform step 5 via web.

Instead, after step 5, Windows 7 identifies the connection as a public network unidentified. Then, Internet no longer works and I can not access longer the firewall via web with the IP address 192.168.1.1.

So, anyone have any idea on how to fix this?

Thanks

Bye

stephenw10

Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

See: http://forum.pfsense.org/index.php/topic,54666.0.html

Steve

balubeto

@stephenw10:

Windows 7 complains because the MAC of the bridge interface is regenerated each time at boot, because it's not a real NIC.
To prevent this happening you can set a MAC address for the bridge interface which will be used every time. You can do this under Interface: Lan: (assuming LAN is assigned as bridge0).

See: http://forum.pfsense.org/index.php/topic,54666.0.html

Steve

In the Interface: Lan window, I have to insert the MAC address of the network card of the computer or a network card of the firewall?

Thanks

Bye

stephenw10

No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

Steve

balubeto

@stephenw10:

No. Do not use one of the existing MAC addresses. Make up a MAC and use that. It doesn't matter what the address is just that you have defined one to use to prevent pfSense choosing a new one each time at boot.

Steve

How do I create a valid MAC address?

Thanks

Bye

stephenw10

It simply has to be the correct length of hexidecimal figures. For example you could use: 00:11:22:33:44:55
That would be obviously fake which is useful to anyone trying to diagnose a problem later.
See screenshot from my Status: Interfaces: page.

Steve


extide

@balubeto:

Ok but how do I view and change the IP address of Bridge0 so that it has 192.168.1.254 as IP?

In other words, it is possible to have this configuration:

1. 10.0.0.1          –-> WAN Gateway

2. 192.168.1.1      ---> LAN Gateway (in order to access the firewall with this IP address)

3. 192.168.1.254  –-> Bridge0

If so, how do I do this?

Thanks

Bye

I think you are mis-understanding this. When you create a bridge the NIC doesnt have an IP anymore, the bridge actually has the ip, and the bridge represents any or all of the nic's in the bridge.

So you will end up like this:

1. 10.0.0.1          –-> WAN Gateway

2. 192.168.1.1      ---> Bridge0 / LAN Gateway (in order to access the firewall with this IP address)

There is no need for an additional IP.

balubeto

I tried to insert a fictitious MAC address to the LAN interface before including it in the Bridged0 but, then, Windows 7 still identify the connection between my computer and the firewall as an unidentified network and thus I have the same problems as before . So when I have to insert this MAC?

Thanks

Bye

extide

Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.

balubeto

@extide:

Well, yes it will be un-identified initially, but once you mark that network at private, then it should stay that way.

No, the problem is that Windows 7 identifies the connection as a public network not identified even if I restart the firewall from console. Unfortunately, Windows 7 does not allow to change the network type, and then I can no longer access the firewall via web and the internet. So, how do I fix this?

Thanks

Bye

stephenw10

See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

Steve

extide

Also once you have completed the above steps, you WILL get an 'unidentified network' popup, but once you accept it there it should not come up again.

balubeto

@stephenw10:

See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

Steve

It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

Thanks

Bye

stephenw10

You can disable the dhcp server. It won't help though. Unless you have spoofed the MAC on LAN Windows will still see it as a new network.

Are you using all static IPs.

Steve

extide

@balubeto:

@stephenw10:

See my screenshot a few posts back for how it should be setup. My interface is named LAN5, yours will be named LAN.

You need to insert the fake MAC onto LAN after you have assigned it as bridge0. The problem is that Windows looks at the MAC address of the DHCP server. The DHCP server is running on LAN (bridge0) so the MAC changes at every boot and Windows warns you that you have connected to a new, unknown, DHCP server.

Steve

It is possible to disable this DHCP server on LAN (Bridge0). If so, how do I do this?

Thanks

Bye

You probably don't want to do this. When you make the bridge you are essentially replacing Lan0 and Lan1, and Lan2, etc with Bridge0. Nothing will be running directly on Lan0, 1, etc anymore, everything that WAS running on lan0, 1, etc will now be running on bridge0.

So, if you previously had DHCP before and would like to keep it you will need to have it enabled. This is not 'another' DHCP server, this is the DHCP server.

Now, if you were not using DHCP in the first place at all, then yes you would want to disable it.

balubeto

I have found the main problem:

Starting from the default parameters of pfSense and performing the initial setup to make sure that the LAN and WAN interfaces are working with the type of static address, I tried to insert the MAC address of my computer or a MAC fictitious in the MAC address field of the LAN interface of pfSense. Applying these changes and restarting the firewall from the console, Windows 7 SP1 64-bit identifies the connection as a public network not identified. How come?

Thanks

Bye

stephenw10

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

balubeto

@stephenw10:

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

So, how do I change its type?

Thanks

Bye

matguy

@balubeto:

@stephenw10:

Because the MAC has changed. However if you then reboot the box again you should find that Windows connects without a warning as the MAC will remain whatever you set it to be.
Windows maintains a list of known networks with the MAC addresses of whatever it talks to on those networks. If it starts talking to a new MAC that isn't in the list it warns you.

Steve

the problem is that, even if I restart the firewall from the console with the new MAC, Windows identifies the new connection directly as a public network not identified without the possibility to change its type.

So, how do I change its type?

Thanks

Bye

But, after it's set, do the Windows boxes keep notifying you again, later.  From what I understand, it should do it once after you set the MAC, but once Windows identifies it, as long as you don't change the Bridge MAC again, it shouldn't keep bothering you.