[SOLVED] LAN -> LAN bridge



  • First, I'm new to pfsense. Long time Linux user/admin/developer.

    I have a pfsense box with 3 NICS (WAN, LAN and CLOUD). I have one that will become a WAN port (later) and two others, connected to different LAN's via appropriate switches (LAN, CLOUD) All I'm trying to do at the moment is have the pfsense box function as a router between the LAN and CLOUD ports… I have created a bridge (BRIDGE1) and included the LAN and CLOUD interfaces. I have created rules LAN-any and CLOUD->any.

    So, I have

    LAN : 10.0.0.89
        CLOUD: 192.168.0.200

    I have a route on my desktop PC (10.0.0.119) that routes 192.168.1.0/24 traffic to 10.0.0.89. Tracert confirms this. But the pfsense box just won't forward packets from my PC to a box on the other LAN. The pfsense box is able to ping each network fine. I'm sure I'm missing something here...



  • All I'm trying to do at the moment is have the pfsense box function as a router between the LAN and CLOUD ports… I have created a bridge (BRIDGE1) and included the LAN and CLOUD interfaces.

    You have 2 subnets on 2 different NICs, In the first sentence you say you want to route between them - good and easy. Then you have created a bridge??? Remove any trace of bridging from the config. pfSense will route happily by default, as long as you have firewall rules on the interfaces to allow the traffic in - on LAN, LAN to any, on CLOUD, CLOUD to any will work fine, like you mention.



  • Yes, I realized that I didn't need the bridge last night - bit of a blonde moment. To be honest, I added the bridge in desperation in case I'd misunderstood the pfSense's notion of a bridge. So I believe I have what you suggest, but no routing takes place. :(



  • It really does route all by itself. The only things that stop it are:
    a) No firewall rules that to allow the traffic (including the unseen block all rule at the end)
    b) Firewall rules that send traffic to a particular gateway or gateway group (policy-routing)

    Have a look at Diagnostics->Routes - it should show the 2 LAN networks directly connected on 2 links.

    Check firewall rules and make sure they allow stuff (put pass any-any for a test on both LAN interfaces).

    Look in the firewall log for dropped packets.

    Post the above things of you are still stuck - maybe we can then spot the problem.



  • OK. I do now have it working :)

    The issue was to do with NAT, or more precisely a lack of it. I had mistakenly believed from the docs that NAT would be applied to my traffic by default, however I'm not using a WAN atm and the default NAT only applies to that port. So there was no NAT'ing between my two LAN ports. There is already a default gateway on my CLOUD Lan, so the return path for packets was not correct (CLOUD hosts targeting their default gw.)

    I've turned off automatic NAT and added a NAT rule to allow the CLOUD hosts to see a local src and all is well.

    Thanks for your help. :)



  • Happy to help. Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult.



  • @phil.davis:

    Your solution will let LAN access CLOUD, but not the reverse direction. But if that is the real requirement, then great, because it actually helps make access from CLOUD to LAN difficult.

    It's only a temporary solution, required because we already have a router (and default GW) into that LAN.  When I'm happy with the pfsense configs we'll replace the other router and the NAT won't be required.


Log in to reply