Traffice flow stop after bridge
after all the trouble at least i was able to do bridge between WAN and LAN. Also i created one for OPT interface as OPT2 and given static IP which has web management access. So after bridge i can access to web management.
I have created bridge as below
Interface Description IP adress
emo WAN IP address None
em1 LAN IP address None
Bridge WANBridge 10.10.20.14 static ip.
em2 OPT2 10.10.10.17 (where i access the web management portal)
Now after bridge i rebooted the firewall and after reboot i am not able to ping the gate way 10.10.20.10 from ping interface of pfsense. Traffic does not flow to the firewall. Even not able to ping 10.10.20.14 from any system in network. checked physical connection on switch is found ok. Also firewall rule set full access allow all for WANBridge.
Also i get some error like
em0: DAD detected duplicate IPV6 address fe80:1:20c:29ff:fe1d:fa63: NS in/out=2 NA in=0
em0: DAD complete for fe80:1:20c:29ff:fe1d:fa63: - duplicate found
em0: manual intervention required
em0: possible hardware address duplication detected, disable IPv6
I have check in Advance tab IPv6 is not enable. but still dont know why this error comes.
You also need either pass rules on LAN and WAN, not just on the bridge, or the net.link.bridge.pfil_member=0 flag.
Thanks a lot for your reply..
I check again.. i have set rule in firewall for WAN LAN and Bridge as allow all. No restriction. Also change value to 0 as per your guide lines. but still i am not able to get ping to gate way 10.10.20.10.
once again i brief about configuration.
On all interface : WAN, LAN, Bridge and OPT firewall rule set to allow all. no restriction.
IP address of Bridge is given as 10.10.20.13 and gateway for pfsense firewall is 10.10.20.10.
No Ip provided to WAN and LAN and set to "None".
NAT is set to Manual
Please guide me where i am going wrong.. or yes if i need to do fresh installation with some personal guide of yours do let me know. i am ready to do it.
I think this guide explains it quite well:
you might want to move the ip address to wan (or lan, depending) instead of the bridge
did you do the "no-nat" bit> it is probably where things go wrong now.
I have selected "Manual Outbound NAT rule generation"
I had followed this document… and i have tried it for three times reinstallation and carefully followed all the steps.
Do is there any rule to keep WAN and LAN on different switch. i had just come across some post on this. As i have kept both the interface on same switch as we have only one gateway which feeds MPLS as well as internet. Our major requirement is to do url filter.
Do is there any rule to keep WAN and LAN on different switch.
Yes, how else are you going to filter? It should be:
Internet - Router - WAN (pfSense) LAN - switch - clients
Is this how you're connecting things? Please post diagram of how things are connected otherwise.
Our complete current network brief is as:
MPLS Cloud |
with internet | 10.10.0.0/24 serie network
service |========================> Router ============> Switch ===========> LAN (based of 10.10.20.0/24 network)
(10.10.0.0/24) | (IP: 10.10.20.10)
We dont need other IP or routing.. our service provider feeds internet service with MPLS link only. And so our LAN client need 10.10.20.0/24 range IP going to gateway 10.10.20.10 (router IP). All are application and internet works on this.
What i want to do change in network is as below so i can do URL and content filtering and logging.
MPLS Cloud |
with internet | 10.10.0.0/24 serie network |================> LAN (based of 10.10.20.0/24 network)
service |========================> Router ==========> Switch= | ^
(10.10.0.0/24) | (IP: 10.10.20.10) |>=====Pfsense===^
So after implementing this gateway for network would be 10.10.20.13 and all the traffic and services from LAN client will be get filtered at URL and content filtering on PFsense and then forwarded to router. Typically Pfsense and LAN both will seat on switch and mainly working as gateway to LAN.
If you're doing a bridged firewall the gateway would still be 10.10.20.10, pfsense would just be filter on the line and should be between the switch and the router.