PfSense LAN bridging walktrough
-
After several attempts to get a bridge going, I finally succeeded to set it up correctly. I am posting this info hoping it might help some one in the future.
My set up: pfSense 2.0.1-Release + 3 add in NICs + 1 on board NIC (total of 4).
First and foremost credit goes to the creators of pfSense awesome work and to stephenw10 for his post on how to configure a bridge.
I just added extra info on my findings and personal experience. To clarify I am no firewall pro just your regular guy with some
spare parts and some some spare time.This is what I wanted to acomplish:
a) Upgrade my router and build it my self
b) Have plenty of options if I wanted to (some day) use advanced networking features
c) Use old hardware I had sitting around
d) Have 1 WAN interface for internet
b) Have 3 LAN interfaces one for each floor in my house
e) The LAN interfaces need to be transparent to each otherSo here it goes -
0. Start with a fresh install of pfSense and complete the wizard in the web interface. Adjust the IP settings if you like or need.1. Assign your additional interfaces:
If you did assigned them during install skip this step. This is done by going to Interfaces > Assign.
You will have: WAN, LAN and might also have OPT1, OPT2, etc depending on your specific setup.2. Enable the interfaces:
Go to Interfaces > OPT1. Check the Enable Interface box, make sure that Type is set to none and Save.
Repeat for all the other interfaces you wish to add to the bridge. In my case OPT1 and OPT2.3. Switch bridge filtering from the bridge members onto the bridge itself (IMPORTANT - assuming you do not need to apply firewall rules between Interfaces on the bridge):
Go to System > Advanced and select the System Tunables tab.
Scroll down and edit the following two values:
Change net.link.bridge.pfil_member to 0.
Change net.link.bridge.pfil_bridge to 1.
Apply the changes.4. Create a bridge:
Go to Interfaces > (assign) and select the Bridges tab.
Create a Bridge by clicking on the add icon. Now add the interfaces that you enabled (ie. OPT1 and OPT2) you can select multiple interfaces by holding Ctrl (IMPORTANT - do not add LAN to the bridge). Name the Bridge 'Whatever Name You Want', could be a name to remind of the configuration. Save the changes. You now should have listed BRIDGE0.5. Assign BRIDGE0 to LAN Network Port:
(IMPORTANT - I lost connectivity to the web interface even after switching my ethernet cable to a bridge interface. I was only able to get back in after rebooting pfSense)
Go to Interfaces > (assign) and change the LAN assignment to BRIDGE0. Save and reconnect your ethernet cable to one of the bridge interfaces. It should come back up, however you will want to make sure you have access to the pfSense box before doing this. You could end up locked out!6. Assign the original LAN Network Port to new Interface:
Go to Interfaces > (assign) and and a new network port by clicking the add icon at the bottom of the list (In my setup a new OPT3 interface). Assign the original LAN Network Port to your new Interface, Save and apply changes.7. Add the new Interface to BRIDGE0:
Select your Bridges tab, click the edit icon. Add you new Interface to the bridge and Save. You should have all the Interfaces listed under Members for BRIDGE0 (In my set up OPT1, OPT2, OPT3)8. Done!
Everything should be working now. You can rearrange your ethernet cables if needed. There is no need to alter the firewall rules for this configuration since BRIDGE0 inherits the original LAN rules.I would appreciate any corrections and/or comments. Happy building!
-
Nice write up. :)
Steve
-
Thanks Steve!
So far I am loving my pfSense box, it handles all the connections in the building with no problem. -
Dear all,
I'm a newbie on firewall, on this thread is about 4 NIC, how about if only 2 NIC ? My problem is simply locked when after enable LAN, how can i solve this ?
Please help
-
You mean just WAN and LAN?
Which step are you having a problem at?Steve
-
I followed your guide, and I'm having problems as watchdog timeouts –resitting when I leave the option in net.link.bridge.pfil_member to 0, only works if I put regular net.link.bridge.pfil_member Change to 1. what can this be?
See my topics: http://forum.pfsense.org/index.php/topic,62781.0.html and http://forum.pfsense.org/index.php/topic,62587.0.html -
I don't think your problem has anything to do with bridge mode but rather the interrupt rate on your NICs or the loading on the cpu. When you disable pf completely it reduced the cpu cycles required to forward a packet massively allowing your system to keep up. I would check to see if flow control is enabled.
Steve
