Bridging problems
-
I've got a pfSense box here with 4 NICs: 1 GbE WAN, 2 GbE LAN(LAN and OPT1) and 1 100MbE LAN(OPT2).
I have put all three LANs into a bridge and can get DHCP leases from all 3, but cannot ping between NICs.
i.e. Laptop wired to OPT2 can't ping desktop wired to LAN.
I also can't access the internet from any clients of the bridge.Here's my setup
WAN -> re0 -> DHCP xxx.xxx.xxx.xxx/22 (IP censored)
LAN -> em0 -> None
OPT1 -> em1 -> None
OPT2 -> rl0 -> None
OPT3 -> bridge0 -> 10.0.0.1/8Ping tests
LAN –/--> OPT1
LAN --/--> OPT2
OPT1 --/--> LAN
OPT1 --/--> OPT2
OPT2 --/--> LAN
OPT2 --/--> OPT1System Tunables
net.link.bridge.pfil_member 0
net.link.bridge.pfil_bridge 1Not sure what I'm doing wrong, I've looked at tons of topics showing theirs working with the same setup.
-
The two sysctls are only applied when the bridge is brought up so if you changed them afterwards the bridge will be filtering in the wrong place. Take the bridge down and back up or just reboot to fix that.
Usually you would have the bridge interface assigned as LAN. Also there is no need to use a /8 as the LAN subnet unless you have thousands of clients. ;):WAN -> re0 -> DHCP xxx.xxx.xxx.xxx/22 (IP censored)
LAN -> bridge0 -> 10.0.0.1/24
OPT1 -> em1 -> None
OPT2 -> rl0 -> None
OPT3 ->em0 -> NoneIn you current config did you create a firewall rule on OPT3? There isn't one by default so no traffic will be allowed, a you're seeing. The LAN interface has rules in place to allow it so assigning that to the bridge0 interface should allow your traffic.
Steve
-
Usually you would have the bridge interface assigned as LAN.
It is not possible to assign bridge0 to LAN in pfSense 2.2-RC. In my case I would like to bridge several interfaces and assign an IP address on bridge0 and use it as LAN.
Error message:
Invalid interface name `bridge0` -
It is not possible to assign bridge0 to LAN in pfSense 2.2-RC.
Definitely false.
LAN (lan) -> bridge0 -> v4: 10.20.31.254/24 v6: 2001:xxx:xxx:xxx::254/64 LAN1 (opt1) -> vr1 -> LAN2 (opt2) -> vr2 -> LAN0 (opt3) -> vr0 -> bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether xx:xx:xx:xx:xx:xx inet 10.20.31.254 netmask 0xffffff00 broadcast 10.20.31.255 inet6 2001:xxx:xxx:xxx::254 prefixlen 64 nd6 options=1 <performnud>id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 55 member: vr2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 3 priority 128 path cost 55 member: vr1 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 2 priority 128 path cost 55</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></performnud></up,broadcast,running,simplex,multicast> -
Definitely false.
Okay, please tell me how you did this. :)
I installed the following pfSense release.
http://snapshots.pfsense.org/FreeBSD_releng/10.1/amd64/pfSense_RELENG_2_2/livecd_installer/pfSense-LiveCD-2.2-RC-amd64-20150102-1450.iso.gz
Take a look here and see that bridge0 is not even a valid interface.
WAN (wan) -> em0 -> v4: 10.1.1.2/24 v6/DHCP6: 2001:xxx:xxx:xxx:e94d/64 LAN1 (lan) -> em1 -> v4: 192.168.1.4/24 LAN2 (opt1) -> em2 -> LAN3 (opt2) -> em3 -> LAN4 (opt3) -> em4 -> LAN5 (opt4) -> em5 -> LAN (opt5) -> bridge0 -> v4: 192.168.1.5/24 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) pfSense Developer Shell 4) Reset to factory defaults 13) Upgrade from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option: 1 Valid interfaces are: em0 00:0c:29:d0:e9:4d (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 em1 00:0c:29:d0:e9:57 (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 em2 00:0c:29:d0:e9:61 (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 em3 00:0c:29:d0:e9:6b (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 em4 00:0c:29:d0:e9:75 (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 em5 00:0c:29:d0:e9:7f (up) Intel(R) PRO/1000 Legacy Network Connection 1.0.6 Do you want to set up VLANs first? If you are not going to use VLANs, or only for optional interfaces, you should say no here and use the webConfigurator to configure VLANs later, if required. Do you want to set up VLANs now [y|n]? -
Hmm, I've never tried to do it from the console. It's definitely possible via the webgui though.
You have a subnet conflict there, LAN and OPT5 are in the same subnet. Normally all the bridge members are assigned as type 'none' and only the bridge itself has an IP.
Steve
-
Hmm, I've never tried to do it from the console. It's definitely possible via the webgui though.
Please tell me how, because I cannot find it.
Edit: I had to unassign LAN interface em1 from the bridge before it was possible to assign LAN to the bridge interface bridge1. That means that you need at least four interfaces before it is even possible to do this from the web gui. One NIC for WAN and three interfaces for LAN.
You have a subnet conflict there, LAN and OPT5 are in the same subnet. Normally all the bridge members are assigned as type 'none' and only the bridge itself has an IP.
Steve
It was just for a test, If I pull the network cable from LAN1 then I lose the connection with the bridge. That's why I need to assign LAN to the bridge interface.
-
Hmm, I've never tried to do it from the console. It's definitely possible via the webgui though.
Please tell me how, because I cannot find it.
At Interfaces | (assign) | Bridges
Give Lan an otherwise unused interface first, setup the bridge with the interfaces you need and swap out the Lan interface when done.
I sometimes create an additional (VLAN) interface for this task on hardware like APUs with a limited number of NICs, but that's not needed in your case. -
You can do it with three interfaces but doing everything in the correct order becomes critical. It's very easy to end up locked out of the webgui. ;)
Steve
-
Sure, pfSense hardly holds you from shooting in your own foot. ;)
-
I cannot understand why you must assign at least two network adapters to the bridge when it is created. In other manufacturers such as MikroTik routers it is possible to create a bridge without assigning any network adapter. One network adapter should be enough to create a bridge in pfSense.
-
Doing this from GUI is troublesome if you are actually using the to-be-bridged interface to connect in the first place. Probably better to just edit and import a config and let the box reboot… Relevant parts:
<interfaces><lan><enable><if>bridge0</if> <spoofmac><ipaddr>10.20.31.254</ipaddr> <subnet>24</subnet></spoofmac></enable></lan> <opt1><if>vr0</if> <enable><spoofmac></spoofmac></enable></opt1> <opt2><if>vr1</if> <enable><spoofmac></spoofmac></enable></opt2> <opt3><if>vr2</if> <enable><spoofmac></spoofmac></enable></opt3></interfaces> <bridges><bridged><members>opt1,opt2,opt3</members> <maxaddr><timeout><maxage><fwdelay><hellotime><priority><proto>rstp</proto> <holdcnt><ifpriority><ifpathcost><bridgeif>bridge0</bridgeif></ifpathcost></ifpriority></holdcnt></priority></hellotime></fwdelay></maxage></timeout></maxaddr></bridged></bridges> -
I cannot understand why you must assign at least two network adapters to the bridge when it is created.
Well the pfSense bridge facility is just a front end on the FreeBSD bridge driver:
@https://www.freebsd.org/cgi/man.cgi?query=bridge&apropos=0&sektion=0&manpath=FreeBSD+10.1-RELEASE&arch=default&format=html:The if_bridge driver creates a logical link between two or more IEEE 802 networks that use the same (or ``similar enough'') framing format.
Creating a one interface bridge seems a bit illogical although I see where your coming from.
Steve
-
Doing this from GUI is troublesome if you are actually using the to-be-bridged interface to connect in the first place. Probably better to just edit and import a config and let the box reboot…
I thought about it, but decided to administer pfSense over the WAN interface.
Creating a one interface bridge seems a bit illogical although I see where your coming from.
Probably, but in this case it would only be temporary until the configuration is completed.
