How to make pfsense LAN with multiple interface working like a switch?



  • hi all,sorry for my english.

    i got a pfsense 2.2 running in hyper-v with 4 NICs (4 port intel 82580 GE adapter) and when i just assign 1 LAN interface to pfsense, everything running ok.

    now i wanna  1 desktop,1 wifi-ap connect to the pfsense LAN and then i bridged opt1,opt2… and assign bridge0 interface to LAN. no dhcp,no internet access and can not ping each other. What should be done to make it work?


  • Rebel Alliance Global Moderator

    Buy a switch!  If you need more than 1 device on a segment.  If you want to have more then one segment - create those and assign them to the proper physical nics and then setup the firewalls to allow the traffic you want to allow between the segments.

    it is not cost effective to use router nics as switch ports!!  When you can get a switch for $20 why would anyone do that??



  • @johnpoz:

    it is not cost effective to use router nics as switch ports!!  When you can get a switch for $20 why would anyone do that??

    I'm not speaking for the person who posted the question, but here's why I would want to do it:

    I bought some Lanner net appliance with 6 Gigabit ethernet ports. I only need three of them (LAN, WAN, DMZ). In the basement where the pfSense unit is, I need three items on the LAN segment: my server, the WiFi AP, and the line to the switch in the office. The reason I bought the device (and not one with fewer ports) is that the size of the device had to be determined not by number of ports but by CPU power such as to enable proper filtering (virus, content, etc.) and VPN, without hitting a CPU limit, while potentially having enough CPU to spare for a VoIP server (asterisk or FusionPBX).

    Right now, I have an additional switch in the basement, which occasionally hangs itself, and even while running fine, requires extra cables, power supply, etc. So the number of potential failure points are higher (meaning lower MTBF), and the electricity consumption is higher.

    So I'm wasting three spare gigabit ports on my Lanner device, and I have extra cable salad and power consumption and reliability issues with a switch. Even if I were to attach all LAN devices that reside in the basement and used one port for the uplink to the office, I'd still have a spare port on the Lanner.

    Simply bridging a few spare ports on the pfSense box would in this case be rather useful and effective, both in lowering electricity usage as well as in increasing reliability and lowering the troubleshooting effort when something goes wrong. Particularly, each piece of equipment between the server and the internet is one more chance of critical services going down.

    I now have a FiOS ONT, pfSense and a switch, plus of course cables and connectors, power supplies for each, that are all potential failure points. Getting rid of the switch would eliminate one ethernet cable, two connectors, a switch and a power supply as potential failure points.

    So as you can see, while it would be a waste of resources to buy a multi-port network appliance with the idea of saving a switch, it's not a waste of resources saving a switch by using unused resources already present.

    It comes down to the old joke of whether it's OK to smoke while praying (answer: no, when praying one shouldn't be distracted), or wether it's OK to pray while smoking (answer: yes, it's always OK to pray).
    So it's how you ask the question that determines the answer.



  • I'm a believer in pointing someone to where they can procure enough rope.
    OP: By default, the individual interfaces are filtered, not the bridge. So, if you created a bridge, you would still need rules on the member interfaces.
    If you want to change that behavior, go to  the tunables under system, advanced and flip the two net.link.bridge values. Then add the rules on the bridge interface.


  • Netgate

    Get a switch.  Save your precious router ports for routing.

    Simply bridging a few spare ports on the pfSense box would in this case be rather useful and effective, both in lowering electricity usage as well as in increasing reliability and lowering the troubleshooting effort when something goes wrong. Particularly, each piece of equipment between the server and the internet is one more chance of critical services going down.

    At the cost of performance.  Ethernet ports on pfSense do not have the dedicated ASICs found in even the cheapest switches necessary for near-wire-speed forwarding of ethernet frames completely offloaded from the pfSense CPU.

    And at the cost of complexity.  Search the forum for all the problems people have with bridging interfaces.  Yes, it works, but a switch is almost always a better option.



  • Not to mention, by bridging those interfaces… haven't you effectively created a HUB?

    Don't over think it... buy a switch.


  • Rebel Alliance Global Moderator

    Having a switch in a network is a given - PERIOD!!  End of story, all your nonsense about extra failure points or cable salad is pointless.  Not my problem you have a issue with simple cable management.  But is right inline with your pray analogy if you ask me (pointless waste of time - might as well ask santa, ask him to bring you a switch).

    What network are you creating that doesn't already have a switch??  Why is there not a switch already?  If your having a problem with said switch, get a newer better switch.

    The appliance you would run pfsense as router/firewall is NOT a switch - all attempts to do so only lead to complication and more failure or engineering time.  If you need more ports on a segment the answer is use a switch with the ports you need or add another switch.

    While there are situations where you might need to create a bridge, etc.  A bridge does not make them switch port.  What OP is asking about is a switch port, so answer is get a switch!


  • Netgate Administrator

    Yep pretty much what's been said.
    However, this:
    https://forum.pfsense.org/index.php?topic=48947.msg269592#msg269592

    Steve



  • Thank you guys!
    Maybe you are right,I have to buy a switch