Impact on LAN rules when bridging to wlan?

lovingHDTV

[originally posted in hardware, by mistake so here it is]

I currently have everything running and have a few LAN rules.  Two rules to send all lan data out the VPN gateway.  A couple rules to classify VOIP alias to the proper queues, and a couple rules to send data from an IP address to a different queue.

I want to add a wifi AP and plan to just bridge the wlan with the existing LAN. When I do this, am I going to have to change my existing LAN rules?

No VOIP will go over wlan.
The IP specific rule will not be on wlan.
I do want all traffic from wlan to go out the VPN gateway, just like LAN is today.

Hopefully that makes sense.

thanks,
david

Derelict

Here's how I understand it:

Say your existing LAN interface is em0 and your wireless interface will be wlan0.  When you bridge them, you will then have interface BRIDGE0.  You REASSIGN LAN to BRIDGE0 in interfaces->assign.  Now all your rules are on that interface.  You then need pass any any any rules on the physical bridge interfaces.  This lets traffic "into the bridge".  The rules on the bridge interface (the one assigned to LAN) let traffic from the bridge "into pfSense" like they always have.

It's kind of strange because you'd think you'd be limited to layer 2 (MAC Address) filtering on the bridge members but you're not (I don't think it's available at layer 2 at all).  You put regular layer 3/4 firewall rules on the bridge members to pass traffic into the bridge itself.

wlan and lan clients will be on the same subnet / broadcast domain.  Your existing match rules will still match the same traffic they always have.

Derelict

@lovingHDTV:

[originally posted in hardware, by mistake so here it is]
I want to add a wifi AP and plan to just bridge the wlan

An AP or a wireless adapter in pfSense?  If an AP just plug it into your LAN and go.

lovingHDTV

It is a wireless adapter (ath0) that I want to run as an AP.

david

georgeman

@Derelict:

You REASSIGN LAN to BRIDGE0 in interfaces->assign

I have never liked to do that. Yes, it is a way easier than moving each rule, but sooner or later you will have issues (mainly if you later on reassign the interfaces, you can get locked out very easily)

Derelict

Don't get locked out, then.  I'm not talking about making this sort of change from Moscow at a remote site in Siberia.

georgeman

@Derelict:

Don't get locked out, then.  I'm not talking about making this sort of change from Moscow at a remote site in Siberia.

I don't usually reply just for this, but LOL  ;D

Derelict

And if you do it from WAN or VPN into WAN you likely won't get locked out.  Major change to be sure, and probably best done with console/local access.