PfSense 2.1.2 Bridging… how to do?



  • Hi,

    I had been trying to figure out how to solve my problem for more than a week to no avail.  I had posted a thread but it seems nobody understands my problem.  So let me rephrase and do one by one.

    Yesterday I downloaded 2.1.2 and started scratch from it.  I already have an existing network with 5 devices connected to my wifi router.  The Wifi router has DHCP enabled.  At the back of the Wifi router, it is connected to the DSL router.  All working under the same subnet of 192.168.1.xxx.  So basically the setup is as follows:

    5 devices (192.168.1.11 to 192.168.1.15)  ->  WIFI RTER (LAN:192.168.1.1 WAN:192.168.1.2) ->  DSL RTER (LAN:192.168.1.254 WAN:from provider)

    the above setup is working fine.  Now I want to insert the pfsense firewall in between WIFI Router and DSL Router, and I dont want to change any other configurations anymore to the existing network and its IP addresses.

    I load up pfSense 2.1.2 installation, assignments as follows (as seen in command line text):

    WAN -> vr1    -> v4: 192.168.1.251/24
    LAN -> vr0      -> v4: 192.168.1.250/24

    then i set the WIFI router WAN's gateway to 192.168.1.250.

    knowing that pfsense WAN and LAN are both under the same subnet, how can I make it to bridge?  Do note that I can not get into webconfigator even if I direct connect 1 PC to the pfsense LAN side.



  • As the most specific route wins, try to set pfSense WAN to 192.168.1.253/30 - at least you'll get access to GUI from LAN



  • @rubic:

    As the most specific route wins, try to set pfSense WAN to 192.168.1.253/30 - at least you'll get access to GUI from LAN

    It works.. being a newbie, i now understand a bit on the importance of the subnet bit.  I thought its always set at 24.
    Anyhow, this is what I do on the changes:

    WAN -> vr1 -> v4: 192.168.1.240/27
    LAN -> vr0 -> v4: 192.168.1.150/24
    OPT1 -> bridge0 ->  * no ip set *

    then i enabled DHCP under LAN; now I can surf the net.  Thank you.

    My next problem is how to enable captive portal?  I tried enabling under WAN and LAN it says not because both are part of bridge.
    I can set captive portal for OPT1 but it doesnt seem to work.  I can still surf the net without any prompt for username / password.  Any hint?


  • Moderator

    Don't configure the WAN interface, just LAN, then enter the WebGUI and configure the Bridge in the Interfaces section of the menu.

    See: https://doc.pfsense.org/index.php/Interface_Bridges

    As your configuration, that screems "wrong" to me all over. You don't use 2 configured network interfaces in the same IP range. Your new configuration might work but is wrong nonetheless, as you have your network (192.168.1.0/24) configured in 2 segments on the pfSense but your Wifi Router and DSL router still run it as a /24 network, so that may lead to side effects you definetly won't like to happen.
    The interfaces vr0/1 should be part of a bridge (bridge0) and the bridge interface itself should have the only IP adress configured.

    Another much more simple approach would be to just route traffic instead of bridging it. To do that, configure a new network on your wifi router (e.g. 192.168.10.0/24) and setup your pfSense with LAN in 192.168.10.254/24 and WAN to 192.168.1.1. Then simply use pfSense as outgoing default router for your .10.0/24 network. You then are using double NAT but unless you want ports mapped from the internet to internal devices that's not a big problem.

    Otherwise if you had 3 interfaces I'd recommend you searching for and setting up a filtering bridge (transparent bridge) and use the 3rd interface as management port.

    Greets



  • @JeGr:

    Don't configure the WAN interface, just LAN, then enter the WebGUI and configure the Bridge in the Interfaces section of the menu.

    See: https://doc.pfsense.org/index.php/Interface_Bridges

    As your configuration, that screems "wrong" to me all over. You don't use 2 configured network interfaces in the same IP range. Your new configuration might work but is wrong nonetheless, as you have your network (192.168.1.0/24) configured in 2 segments on the pfSense but your Wifi Router and DSL router still run it as a /24 network, so that may lead to side effects you definetly won't like to happen.
    The interfaces vr0/1 should be part of a bridge (bridge0) and the bridge interface itself should have the only IP adress configured.

    Another much more simple approach would be to just route traffic instead of bridging it. To do that, configure a new network on your wifi router (e.g. 192.168.10.0/24) and setup your pfSense with LAN in 192.168.10.254/24 and WAN to 192.168.1.1. Then simply use pfSense as outgoing default router for your .10.0/24 network. You then are using double NAT but unless you want ports mapped from the internet to internal devices that's not a big problem.

    Otherwise if you had 3 interfaces I'd recommend you searching for and setting up a filtering bridge (transparent bridge) and use the 3rd interface as management port.

    Greets

    I was able to get into WebGUI after changing the PfSense WAN IP.

    And with regards to 2 interface under same IP range, I also agree not good, thats why I need to bridge it, right? 
    I was able to make VR0/1 as part of bridge0, you mentioned that the bridge interface (which is OPT1) should have the ONLY ip address configured.  Do you mean  setting both WAN and LAN as DHCP? or set them as none?  and I set the bridge IP to what IP address? 192.168.1.254/24?

    thanks


  • Moderator

    And with regards to 2 interface under same IP range, I also agree not good, thats why I need to bridge it, right?

    Yes, that's right, but only if you don't want to route it. As I see you also asked about Captive Portal etc. that seems like you're trying to set up a gateway instance in between your WLAN and you DSL Router. If that's the case I would recommend going the seperate network route and reconfigure your WLAN to another subnet (.10.x/24 ?) so you can route all WLAN traffic through pfSense and the captive portal. That spares you complex bridge setups and is easier to debug IMHO.

    Greets



  • Why not make the pfsense box the router and use your wifi router as just an AP?

    What exactly are you trying to get the pfsense box to do? Like, what are your end goals?

    BTW, you can achieve the same effect as bridging the interfaces by just using a single interface, and no bridge.



  • @extide:

    Why not make the pfsense box the router and use your wifi router as just an AP?

    What exactly are you trying to get the pfsense box to do? Like, what are your end goals?

    BTW, you can achieve the same effect as bridging the interfaces by just using a single interface, and no bridge.

    Im actually trying to make it work like Untangle, wherein Bridge works under same subnet (192.168.1.x).  The reason is simple… I'm using an old PC for the firewall and from previous experiences with Untangle, the hardware may fail anytime at random.  And I dont want to reconfigure then network when things happen.  I just unplug the Untangle and direct connect the router to the DSL modem and everything just work (less the firewall).  The Untangle firewall acts as captive portal to allow only authorized people to use the internet, kids can not use the internet without adult approval (only adults key in username/password).  And also act as web filter to block porn and other sites from kids view when they're allowed to use the internet.  So basically, it is something that limits usage and ensure safe internet usage.

    But then again, since its an old PC, I dont want to do lots of network setting changes when something happen.  And I believe that it is also one of pfsense shining factor that it will run under an old Pentium II with 256MB RAM :-)  I'm using a Pentium IV though with 1MB RAM though.

    Since I run out of options to enable bridge + captive portal + web filtering under same subnet, I end up following the advice of JeGr to use different subnet.  So far the webfiltering works, the captive portal works... but I now run into another problem.

    Im using one of my PC to test port forwarding to make sure that I can access my DVR at home while at work.  To my surprise, when I go to www.canyouseeme.org, it detected my PC LAN IP address and not the WAN IP, anybody has a clue on how to solve this?  I'm attaching a screenshot.  checkip.dyndns.com also gives me 192.168.1.8, but other sites like www.mywanip.com and www.whatismyip.com correctly detects my WAN IP.  I noticed this problem after installing squid3 and squidguard.

    Sorry that I just put my concern here rather than making a new thread.




  • The problem you are now having is because you are Double NAT'd. Essentially it's because you're using 2 routers/firewalls. You should get rid of the other one.



  • @extide:

    The problem you are now having is because you are Double NAT'd. Essentially it's because you're using 2 routers/firewalls. You should get rid of the other one.

    I'm only using 1.  If my previous hardware didnt die, I would have continue using Untangle.  But because I have to reinstall from scratch, I'm thought I just gonna try pfsense