Noob pulling out hair trying to bridge fxp1 and ral0
-
Sorry for posting such a negative first post, but I'm really developing quite the headache trying to figure this one out.
I've used pfsense before, but just as a two-lan system for home networking. Now, still at home, I want to add an internal wifi card to the mix, but I can't figure out how to make both internal interfaces see eachother as one single network (just as a simple router does).
Could someone please point me to some simple tutorial/howto for a networking simpleton like me?
The network is simple (lemme try some ascii art):
+–----------+
| pfsense |
LAN 10.0.0.1 >-----+ Box +------> WAN DHCP
| |
WLAN 10.0.0.2 ((( -+ |
| |
+------------+Thank you very very much in advance!
Best regards!
-
A "simple router" usualy contains an internal switch to which the wireless interface is connected to.
–> You usually dont have the ability to route the wireless interface.simple steps:
- Go to interfaces --> assign --> bridges
- create a bridge with the two interfaces (in your case LAN and WLAN)
- assign the bridge as interface (under interfaces --> assign).
- Set 10.0.0.1 on the assigned bridge interface. Remove the IP configuration on the LAN and WLAN interface.
- Create firewall rules allowing traffic between the LAN and WLAN interface.
- Create firewall rules allowing traffic from the bridge interface to the internet.
-
A "simple router" usualy contains an internal switch to which the wireless interface is connected to.
–> You usually dont have the ability to route the wireless interface.simple steps:
- Go to interfaces --> assign --> bridges
- create a bridge with the two interfaces (in your case LAN and WLAN)
- assign the bridge as interface (under interfaces --> assign).
- Set 10.0.0.1 on the assigned bridge interface. Remove the IP configuration on the LAN and WLAN interface.
- Create firewall rules allowing traffic between the LAN and WLAN interface.
- Create firewall rules allowing traffic from the bridge interface to the internet.
Thanks. I'll try it out later when I get home.
Couple of questions:
- Does the bridge need to be assigned to a specific interface, or any interface will do?
- At which point during that configuration will I lose connection with the web interface and how should I proceed from there? (It kept happening to me when I tried to do other howtos I found on the net).
Thanks!
-
You dont assign the bridge to an interface.
You add interfaces to a bridge.
From a high level point of view the bridge is treated as if it were a real new interface.You should at no point loose connectivity with the webgui. Otherwise you missconfigured something.
The "critical" part is when you add the IP on the bridge and remove the IPs on the interfaces.If you're worried you might loose access again.
Set up a different p on the bridge at first.
Something like 10.0.0.5.
In your case the pfsense would then have 3 ips on which it's reachable. (.1 .2 and .5)
Delete the ips on the real interfaces when you're sure you can reach the pfsense via the ip on the bridge. -
You should at no point loose connectivity with the webgui.
Ha! I don't think I've ever done this first time without loosing connectivity, especially on the two NIC bridge where you don't have spares to assign to the bridge first. Could just be me.
I think you have forgotten to say you need to change two sysctl values in System: Advanced: System Tunables:
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface.If you don't do this (before you create the bridge) then when you switch LAN to the bridge interface it's firewall rules will not be applied and you will be locked out.
Steve
-
You should at no point loose connectivity with the webgui.
Ha! I don't think I've ever done this first time without loosing connectivity, especially on the two NIC bridge where you don't have spares to assign to the bridge first. Could just be me.
Haha :D
Yeah you're right. I can't count the times i shut myself out before i realized in what order i have to do stuff to not loose access ^^"
But if you add the bridge first as an additional interface without removing the real interfaces, you keep access.I think you have forgotten to say you need to change two sysctl values in System: Advanced: System Tunables:
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface.If you don't do this (before you create the bridge) then when you switch LAN to the bridge interface it's firewall rules will not be applied and you will be locked out.
Steve
I like to keep the filtering on each interface.
Well… in homesetups it comes down to three "allow-all" rules -
You dont assign the bridge to an interface.
You add interfaces to a bridge.Sorry for being so dense, but if I don't assign the bridge to an interface, how do I give it an IP?
Thanks.
-
After creating the new bridge:
go to interfaces –> assign.
click the little + at the bottom.
Now assign the new bridge itself as interface. -
You dont assign the bridge to an interface.
You add interfaces to a bridge.After creating the new bridge:
go to interfaces –> assign.
click the little + at the bottom.
Now assign the new bridge itself as interface.Oh, so it's a semantic's thing. Sorry for my confusion.
So, my doubt is still this: can I assign it to an OPT interface, or must it be a specific interface (LAN or other)?
Thanks again.
-
Once you create the bridge you can assign it the same as any other NIC. So if you go to Interface: Assign: and add a new interface it will appear as OPT* (probably OPT2 in your case).
But here's the thing, you want to end up with bridge0 assigned to LAN since the LAN interface is treated differently by pfSense (it has default rules etc). However in order to do that you have to unassign the current LAN NIC and that's when you'll probably end up locked out! ;)
Also just be aware of the sysctl values that affect how the firewall filtering is done on the bridge interface. Also easy to lock your self out with rules in the wrong place or no rules.It's a minefield! Once you get your head around it it's good from a conceptual point of view though.
Steve
-
It woldn't be so bad if it could be done on the local terminal, as I have a monitor/keyboard hooked in. But once I get locked out all I can do is reassign the interfaces, the IP or, if it's really crooked up, reset to factory defaults and start from scratch - which I did four times until now.
-
To work around this:
Create some temporary firewall rule on the WAN interface to allow you to the webgui.
Connect a computer to the same subnet than your WAN and do the configuration via the WAN interface.
You shouldn't be able to lock yourself out this way ;)Another way: if you are configuring this from a linux machine.
Add a VLAN interface on the pfSense, and add a VLAN interface on your linux machinesyntax something along the line of:
ip link add link eth0 name eth0.100 type vlan id 100
Essentially create another logical independent interface on top of the physical interface.
-
If you lock yourself out with a firewall rule mistake you can temporarily disable the firewall completely from the console with:
pfctl -dThen re-enable it once you put the rules right with:
pfctl -eOther options are listed here:
http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!Steve
-
I created the bridge and am now accessing the webgui through the wan interface. I'm trying to ping the Bridge IP (assigned to the LAN interface) but I'm not able to ping it. If I disconnect the Wan cable, I can't access the webgui through the WLAN connection. What am I missing?
-
I was here thinking, can I forget the entire bridging thing and do the following:
LAN:
IP - 10.0.0.254
DHCP Pool - 10.10.0.1 to 10.10.0.254WLAN:
IP - 10.0.0.253
DHCP Pool - 10.0.10.1 to 10.0.10.254And then make them be able to see eachother? I'm assuming that, if possible, it couldn't be done by using bridging. But My knowledge doesn't go that far. Also, if possible, what could be the drawbacks compared to bridging?
-
I created the bridge and am now accessing the webgui through the wan interface. I'm trying to ping the Bridge IP (assigned to the LAN interface) but I'm not able to ping it.
Ping from where? Presumably you created a firewall rule on the WAN interface to allow access to the webgui. Does that rule also allow pings?
Please post the ping command you are using and the response. That is much more informative than "can't ping".
If I disconnect the Wan cable, I can't access the webgui through the WLAN connection. What am I missing?
It difficult for me to say what you are missing since I don't know EXACTLY what you have done. (It is crucial to get the details correct.) Please post the output of pfsense shell commands:```
ifconfig; /etc/rc.banner; sysctl -a | grep bridge -
I was here thinking, can I forget the entire bridging thing and do the following:
LAN:
IP - 10.0.0.254
DHCP Pool - 10.10.0.1 to 10.10.0.254WLAN:
IP - 10.0.0.253
DHCP Pool - 10.0.10.1 to 10.0.10.254No, the DHCP pool needs to be in the same subnet as the interface IP address. AND you can't have distinct interfaces in the same subnet.
Also, if possible, what could be the drawbacks compared to bridging?
If you have two interfaces bridged then broadcast traffic gets forwarded between the interfaces and that helps Windows systems "see" each other. If the interfaces are not bridged then broadcast traffic doesn't get forwarded between the interfaces and systems can generally still see each other with the right incantation but not as "transparently".
