Ok this may be a stupid question



  • Ok as the title says, this may be a stupid question but just want to confirm I have configured my box correctly.

    1. unit has two Network ports
    2. unit has one WiFi Card
    3. Opt interface setup for HE IPv6

    Ok so I have configured it as follows.

    1. Eth0 - WAN - Virgin router in modem mode
    2. Eth1 - LAN - Switch with NAS / Second AP etc
    3. WiFi - Bridged to eth1 and Opt1
    4. LAN IP assigned to Bridge

    Can I confirm this is correct? as if the LAN IP (192.168.1.1) is set to eth1 it still works but my PC keeps alerting to a ARP Spoof. and it does infact switch between the WiFi and Eth1 addresses.  however assigning this to the bridge fixes this issue. is this correct? the IP should be on the bridge?  I am not running separate subnets yet as i understand if i did this i could not stream media from one subnet to the other etc. or would separate subnets be better?

    Idealy in the end I would like a wired network, a wifi network that all works together. pcs on the lan and xbox/ps3 phones etc on wifi and all work togerher.  I am then looking to add some vlans in to the mix so i can host some servers at home and also a VoIP system while keeping it all secure.

    Sorry for all the questions still learning about all this.


  • Netgate Administrator

    Seems like you have it correctly setup from what you've said.
    You should have your wifi and eth1 interfaces set at IP type 'none' and use the bridge interface for IP and DHCP.
    One thing that can cause problems, for Windows, is that because the bridge interface is not real it's MAC address is generated by pfSense at boot. When you reboot the box it generates a new MAC and that causes Windows to see it as a new connection so it keeps asking you to choose what type of connection it is, home, work etc. To avoid that set the MAC address manually by going to the bridge interface setup, LAN in your case, and entering it in the 'spoof MAC' field.

    By the way using eth0, eth1 is slightly confusing since it's Linux notation. Using the real interface names (re1, fxp1 etc) is clearer.

    Running two separate subnets provides better security and finer control. Many server-client media streamers have no problems going between subnets. Anything where you can enter the IP of the server should work fine. What can have problems are 'auto discovery' protocols like DLNA that don't look outside their own subnet. They are supposed to make everything easier but often just get in the way.  Any half decent bit of software should allow you to enter the IP, IMHO, but alas there seem to be many that don't.  ;) It is possible to workaround this in some cases by using the IGMP proxy.

    Steve



  • Ah brill, sounds like i have it all correct then.  as for the separate subnets I will look into that and see if it works with my setup. am sure it will.


  • Netgate Administrator

    Actually re-reading this I didn't notice you have OPT1 bridged in with your other interfaces. Is OPT1 acting as a WAN to your IPv6 tunnel? Seems like you may have by-passed the firewall if you haven't moved the rules around. Perhaps you wanted a transparent V6 connection?  :-
    I'm unsure what you want to achieve. If it working as you expect then you're probably on top of it.  ;)

    Steve



  • @stephenw10:

    Actually re-reading this I didn't notice you have OPT1 bridged in with your other interfaces. Is OPT1 acting as a WAN to your IPv6 tunnel? Seems like you may have by-passed the firewall if you haven't moved the rules around. Perhaps you wanted a transparent V6 connection?  :-
    I'm unsure what you want to achieve. If it working as you expect then you're probably on top of it.  ;)

    Steve

    Hi Steve,

    I have actually ripped out the whole lot and rebuilt it from scratch.

    re0 - WAN - Public IP
    re1 - LAN - no IP
    ath0_wlan0 - Wireless  - no ip
    ath0_wlan1 - Second Wireless - 10.0.0.1/24
    opt2 - bridge - 192.168.1.1/24

    now systems on LAN or wlan0 get internet etc but i can not access the nas on the wired lan from the wireless.  however if i connect to the second wireless i can.

    So to me this seams like any traffic for any interface other then one on the bridge works fine. but any traffic from one interface to another ON the bridge fails.


  • Netgate Administrator

    Your diagram in the other thread is slightly misleading. The LAN comes from the bridge.
    How have you created the bridge?
    Did you change the system tunables to move the bridge filtering?
    What firewall rules do you have and where? Is there anything in the firewall logs?

    Steve



  • @stephenw10:

    Your diagram in the other thread is slightly misleading. The LAN comes from the bridge.
    How have you created the bridge?
    Did you change the system tunables to move the bridge filtering?
    What firewall rules do you have and where? Is there anything in the firewall logs?

    Steve

    Hello Steve,

    I didnt use the system tunables as to be honest didnt know I had to. as for how i did it.

    1. Setup the unit with re0 as wan and re1 as lan.
    2. logged into webui and setup wlan
    3. created bridge, and assigned LAN and WLAN to it.
    4. created new interface, assigned bridge to it, and then configured the IPs there.


  • Netgate Administrator

    Ah, OK. Since you haven't altered the bridge sysctls they will be set to filter on 'bridge members' and not the bridge interface.
    What firewall rules do you have and where are they?

    Steve

    Edit: Look's like Wallabybob's got your back in the other thread.


Locked