Bidirectional traffic copy (bridging) from wired to wifi for a single IP



  • Is it possible and how to set it up? The reason why I want it is that app for my AVR doesn't let me manually input the IP address for AVR and I use different subnets for wired and wifi so autodetect fails. I could connect the AVR to wifi, but I am quite certain then it wouldn't see my HTPC which I use as a media server.



  • You would have to use vlans for the wifi, or have two wifi AP's, one that is on the separate subnet and the other on the same as lan, and bridged to lan. Then you could put the avr on the wifi that is on the same subnet/bridged to lan.

    Or you could just bridge all wifi to lan, is there a reason you do not?



  • I suspect you want to bridge a pfSense wired interface with a pfSense WiFi interface. From memory, there are a number of posts (includng a fairly detailed one by stephenw10) in the pfSense Wireless forum discussing how to bridge wired and WiFi interfaces.



  • Thanks for the answers. I do not want to set up a classic wifi and wired bridging because I do not want to flood the wifi subnet with unnecessary traffic. All I really need is to make AVR to "appear" on wifi while being connected to wired so the remote android app would work.


  • Netgate Administrator

    Other people have done similar things by using the IGMP proxy so that the server device can be discovered on another subnet. It depends what protocol your AVR is using for discovery.
    E.g. http://forum.pfsense.org/index.php/topic,36832.0.html

    Alternatively you could bridge your wired and wireless networks but keep filtering on the bridge member interfaces and apply suitable rules to prevent excess traffic.

    Steve



  • It's an onkyo TX-NR818; it uses UPnP for network discovery, not sure about the android remote app. Is there a guide, how to limit the traffic over wifi if I bridge wifi&wired? Bridging works for ipv6?



  • @strumf666:

    Is there a guide, how to limit the traffic over wifi if I bridge wifi&wired?

    What sort of limit? Schedule? Bandwidth? access to/from particular systems? something else?

    @strumf666:

    Bridging works for ipv6?

    Should. I haven't tried ipv6 bridged.


  • Netgate Administrator

    @strumf666:

    Is there a guide, how to limit the traffic over wifi if I bridge wifi&wired?

    I haven't seen anything specifically written for that purpose. Here's what I would try…

    First I'd try to use the IGMP proxy since that seems to be the 'correct' way to do it.  ;)
    If that doesn't work...

    Bridge the wired and wireless NICs but leave the filtering on the bridge member interfaces. You would usually move filtering to the bridge interface in this sort of setup for simplicity, you will see it mentioned in other bridging guides.
    Now apply firewall rules to the wired and wireless interfaces to limit the traffic between them. Primarily you want to limit random broadcast traffic that is floating around on LAN being sent to every device on WLAN. It gets slightly complex here as the subnet is shared across both NICs but I would try something like:
    Apply a rule on LAN that blocks all traffic with destination LANsubnet.
    Above that rule apply a rule that allows all traffic with destination LANaddress. Since you need to allow traffic from LAN to the pfSense box for the webGUI and DNS queries etc.
    Apply rules above that to allow specific machines on LAN to access specific machines on WLAN if you need them.

    This should prevent any traffic from LAN to WLAN. Traffic between clients on LAN will not be blocked since it doesn't travel through the pfSense box. You would need a similar set of rules on WLAN to prevent traffic initiated in the other direction but it's probably not necessary.

    This way your wireless UPNP client on WLAN will be able to broadcast to the server on LAN and it will be able to respond as the session was initiated from WLAN. Hopefully!

    You might be able to do this far more simply by just applying a rule that blocks broadcast traffic from LAN but that is something I have no experience in.

    Also I've never set up anything like I described above so opinions on it are welcome.  :)

    Steve

    Edit: Potential problem. Does pfSense need to see broadcast traffic from LAN at any point?



  • @stephenw10:

    Edit: Potential problem. Does pfSense need to see broadcast traffic from LAN at any point?

    ARP. I expect clients will want to know the MAC address of their default gateway.


  • Netgate Administrator

    Will they not have that from the DHCP transaction? I guess that assumes the DHCP server is the gateway, which it likely is here.
    Also if a client machine knows only the gateway IP and needs the MAC then that will be allowed by the 'allow to LANaddress' rule (or an equivalent rule for the gateway if it isn't the LAN address).
    Since pf only filters at layer 3 you should also be able to retrieve an IP from the MAC, though that would flood the WLAN with unwanted packets which we are trying to prevent.  :-\

    Steve



  • Alright, I'll try with IGMP proxy first. Mostly I would like to prevent unnecessary torrent and file transfer traffic to flood the WiFi. If I manage to get the iptv pass-through working with igmpproxy, then that as well.


Log in to reply