Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Impact on LAN rules when bridging to wlan?

    Firewalling
    3
    8
    704
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lovingHDTV last edited by

      [originally posted in hardware, by mistake so here it is]

      I currently have everything running and have a few LAN rules.  Two rules to send all lan data out the VPN gateway.  A couple rules to classify VOIP alias to the proper queues, and a couple rules to send data from an IP address to a different queue.

      I want to add a wifi AP and plan to just bridge the wlan with the existing LAN. When I do this, am I going to have to change my existing LAN rules?

      No VOIP will go over wlan.
      The IP specific rule will not be on wlan.
      I do want all traffic from wlan to go out the VPN gateway, just like LAN is today.

      Hopefully that makes sense.

      thanks,
      david

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Here's how I understand it:

        Say your existing LAN interface is em0 and your wireless interface will be wlan0.  When you bridge them, you will then have interface BRIDGE0.  You REASSIGN LAN to BRIDGE0 in interfaces->assign.  Now all your rules are on that interface.  You then need pass any any any rules on the physical bridge interfaces.  This lets traffic "into the bridge".  The rules on the bridge interface (the one assigned to LAN) let traffic from the bridge "into pfSense" like they always have.

        It's kind of strange because you'd think you'd be limited to layer 2 (MAC Address) filtering on the bridge members but you're not (I don't think it's available at layer 2 at all).  You put regular layer 3/4 firewall rules on the bridge members to pass traffic into the bridge itself.

        wlan and lan clients will be on the same subnet / broadcast domain.  Your existing match rules will still match the same traffic they always have.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          @lovingHDTV:

          [originally posted in hardware, by mistake so here it is]
          I want to add a wifi AP and plan to just bridge the wlan

          An AP or a wireless adapter in pfSense?  If an AP just plug it into your LAN and go.

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • L
            lovingHDTV last edited by

            It is a wireless adapter (ath0) that I want to run as an AP.

            david

            1 Reply Last reply Reply Quote 0
            • G
              georgeman last edited by

              @Derelict:

              You REASSIGN LAN to BRIDGE0 in interfaces->assign

              I have never liked to do that. Yes, it is a way easier than moving each rule, but sooner or later you will have issues (mainly if you later on reassign the interfaces, you can get locked out very easily)

              If it ain't broke, you haven't tampered enough with it

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Don't get locked out, then.  I'm not talking about making this sort of change from Moscow at a remote site in Siberia.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • G
                  georgeman last edited by

                  @Derelict:

                  Don't get locked out, then.  I'm not talking about making this sort of change from Moscow at a remote site in Siberia.

                  I don't usually reply just for this, but LOL  ;D

                  If it ain't broke, you haven't tampered enough with it

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    And if you do it from WAN or VPN into WAN you likely won't get locked out.  Major change to be sure, and probably best done with console/local access.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post