Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] LAN -> LAN bridge

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MarkHowells
      last edited by

      First, I'm new to pfsense. Long time Linux user/admin/developer.

      I have a pfsense box with 3 NICS (WAN, LAN and CLOUD). I have one that will become a WAN port (later) and two others, connected to different LAN's via appropriate switches (LAN, CLOUD) All I'm trying to do at the moment is have the pfsense box function as a router between the LAN and CLOUD ports… I have created a bridge (BRIDGE1) and included the LAN and CLOUD interfaces. I have created rules LAN-any and CLOUD->any.

      So, I have

      LAN : 10.0.0.89
          CLOUD: 192.168.0.200

      I have a route on my desktop PC (10.0.0.119) that routes 192.168.1.0/24 traffic to 10.0.0.89. Tracert confirms this. But the pfsense box just won't forward packets from my PC to a box on the other LAN. The pfsense box is able to ping each network fine. I'm sure I'm missing something here...

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        All I'm trying to do at the moment is have the pfsense box function as a router between the LAN and CLOUD ports… I have created a bridge (BRIDGE1) and included the LAN and CLOUD interfaces.

        You have 2 subnets on 2 different NICs, In the first sentence you say you want to route between them - good and easy. Then you have created a bridge??? Remove any trace of bridging from the config. pfSense will route happily by default, as long as you have firewall rules on the interfaces to allow the traffic in - on LAN, LAN to any, on CLOUD, CLOUD to any will work fine, like you mention.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M
          MarkHowells
          last edited by

          Yes, I realized that I didn't need the bridge last night - bit of a blonde moment. To be honest, I added the bridge in desperation in case I'd misunderstood the pfSense's notion of a bridge. So I believe I have what you suggest, but no routing takes place. :(

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            It really does route all by itself. The only things that stop it are:
            a) No firewall rules that to allow the traffic (including the unseen block all rule at the end)
            b) Firewall rules that send traffic to a particular gateway or gateway group (policy-routing)

            Have a look at Diagnostics->Routes - it should show the 2 LAN networks directly connected on 2 links.

            Check firewall rules and make sure they allow stuff (put pass any-any for a test on both LAN interfaces).

            Look in the firewall log for dropped packets.

            Post the above things of you are still stuck - maybe we can then spot the problem.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • M
              MarkHowells
              last edited by

              OK. I do now have it working :)

              The issue was to do with NAT, or more precisely a lack of it. I had mistakenly believed from the docs that NAT would be applied to my traffic by default, however I'm not using a WAN atm and the default NAT only applies to that port. So there was no NAT'ing between my two LAN ports. There is already a default gateway on my CLOUD Lan, so the return path for packets was not correct (CLOUD hosts targeting their default gw.)

              I've turned off automatic NAT and added a NAT rule to allow the CLOUD hosts to see a local src and all is well.

              Thanks for your help. :)

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Happy to help. Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • M
                  MarkHowells
                  last edited by

                  @phil.davis:

                  Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult.

                  It's only a temporary solution, required because we already have a router (and default GW) into that LAN.  When I'm happy with the pfsense configs we'll replace the other router and the NAT won't be required.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.