LAN, OPT1 bridging / UPnP / DHCP relay questions
-
I absolutely love pfSense! It has been able to handle everything I've thrown at it so far, but I'm having an issue that is pushing the limits of my networking understanding. I've searched these forums profusely to try to gather enough information to fix it myself, but I've run out of configuration tests. :(
On my network, I am currently running a Windows Server to handle my internal Active Directory, DNS, and DHCP responsibilities and a pfSense machine to handle my routing and firewalling.
The pfSense machine has 3 NICs:
-
LAN
-
WAN
-
XBox network (switch connected to the OPT1 NIC)
What I'm trying to do is get my media sharing working between the XBox network and my LAN. I've read up quite a bit on what UPnP ports are required, etc and think I have a good handle on the setup, but I'm having problems.
Here is the different configurations I have tried:
Separate subnets
LAN (192.168.0.x)- DHCP, DNS (192.168.0.1)
- firewall rules are in place to allow all traffic from OPT1 subnet
OPT1 (192.168.1.x)
- this interface's DHCP relay set to 192.168.0.1 (192.168.1.x scope setup on DHCP server…clients get IP properly)
- firewall rules are in place to allow all traffic from LAN subnet
I can ping from both subnets to each other (although, I needed to reboot pfSense before it would allow WAN access), but I think I'm missing something with the UPnP as my XBox360 can't find any PCs for media sharing
Bridging attempt
LAN- Bridged with OPT1
- DHCP relay turned on and set to DHCP server (192.168.0.1)
- I thought I shouldn't need to do this as bridging should put clients on the same subnet and therefore, able to get an IP from 192.168.0.1 DHCP server, no? - firewall rules are in place to allow all traffic from OPT1 subnet
- Do I need firewall rules for the bridged interface?
OPT1 - Bridged with LAN
- firewall rules are in place to allow all traffic from LAN subnet
One other clarification: What happens if you only set the OPT1 part of the bridge? I assume that the bridge isn't complete, but I can't ping the IP for that interface. What happens if only setting one side?
I'm using version 1.2 RC3.
Thank you so much for your assistance and this wonderful application!
-
-
:o
0.686b2better update to 1.2RC3 ^^"
When you bridge you dont need to DHCP-relay. This is why you are using the bridge.
Also when you bridge you dont need to set that on both interfaces.
right now you have LAN to OPT1 and OPT1 to LAN.remove then LAN to OPT1 and only leave the OPT1 to LAN
Disable the DHCP/relay on OPT1.
The DHCP from LAN will provide the IP's for OPT1.you only need rules on the bridged interface if you have "filtering bridge" active.
(advanced –> filtering bridge) -
Weird. I thought I changed that version number in the post. That was my FreeNAS version :)
Thank you for the info. This is how I thought it should be working as well, but I can't get an IP address assigned from my LAN DHCP server to anything on the bridged OPT1 NIC…
Any thoughts on why this might be the case?
-
It seems that the problem with DHCP over the bridged interface was actually caused by my ESX server networking config.
The thought came to me when seeing the NICs being set to promiscuous mode in the logs when bridged. I remembered that my virtual switches that were connected to the pfSense VM were set to reject Promiscuous Mode, MAC address changes, and Forged Transmits.
These settings are required on both virtual switches that are attached to the pfSense bridged NICS:
After I changed this, the OPT1 network started getting IP addresses from the DHCP server on the LAN and traffic flowed normally!
I do still have an issue with blocked traffic, however, if I don't specifically create a firewall rule to allow all traffic on the OPT1 (XBoxNet) interface:
I was under the impression that unless I was using a filtering bridge (advanced -> filtering bridge), I should not need to set these firewall rules… Comments?
Even when I do set the rule to allow all traffic, I can't get the XBox360 to see the media sharing on my PC... My PC is a member of a domain, so I have set the computer account in Active Directory as a member of the Windows Authentication Access group (as per the XBox media sharing documentation). Oh well, that's not really a problem for this forum ;)
-
If you click on that red X, what rule is blocking the traffic? With filtering bridge unchecked, it should bypass the filter, apparently it isn't.
-
It's the default rule blocking.
-
I tried enabling the filtering bridge option and disabling…same problem.
