Bridging LAN and WLAN (again).



  • I have searched the forums, searched google but the examples etc does not work for me or I am doing something wrong. (for reference I was trying to follow https://forum.pfsense.org/index.php/topic,20917.0.html)

    So I bought a supported Atheros card and wish to add wireless. I added the card and added a WIFI interface with AP settings, a static
    ip different to the LAN. Example below:

    WAN: 192.168.0.1
    LAN: 192.168.1.1
    WIFI: 192.168.10.1

    I can see and connect to the WIFI interface, get a IP from the WIFI DHCP server. I would like to now bridge the WIFI and LAN together. I set up a bridge interface (Interfaces -> Assign), and selected LAN and WIFI.

    But when I try and assign BRIDGE0 to LAN and the original LAN (re1) I get the error message:

    You cannot set port bridge0 to interface LAN because this interface is a member of bridge0.

    Not sure what I am doing wrong or if there is a step I need to do to bridge the interfaces.


  • Banned

    @ak:

    So I bought a supported Atheros card and wish to add wireless.

    Beyond that, you are doing that in wrong order.

    P.S. For goddamn sake, someone remove this bridge usage "example"/"suggestion" from the wiki.  >:(


  • LAYER 8 Netgate

    ~~OMFG.

    Edit your Wireless interface.  Set IPv4 and IPv6 to None.  Save and apply.

    Create a bridge with members re1 and your wireless interface.

    Go to System > Advanced, System Tunables tab

    Set net.link.bridge.pfil_member = 0
    Set net.link.bridge.pfil_bridge = 1

    Go to Interfaces > (assign)  And CHANGE the assignment for LAN from re1 to BRIDGE0.

    And you're done.~~

    Those steps probably do not undo things enough for it to work.  Delete everything and start over.


  • Banned

    @Derelict:

    Those steps probably do not undo things enough for it to work.  Delete everything and start over.

    Yeah, it's extremely tricky to get this right once you already have LAN assigned and are actually connected via LAN; chances are high you'll cut yourself off at some point as well.



  • So from what dokornotor says/implies, I don't need to bridge. and someone should remove the entry from the wiki due to this being misunderstood by the majority?

    Derelict suggests that following what has been said before is wrong and should be undone - however, backing out the changes is probably not enough and should start from scratch.

    So is there a sticky, resource or thread available with regards to the best practice for this? - the last post implies that it would be difficult as typically a LAN is assigned up front to gain access and start using pfSense.

    Can any one point me to some form with setting up a AP with 2 (or more) SSID, where one of the SSID is permissioned for the LAN and the other is a guest?


  • Banned

    @ak:

    Can any one point me to some form with setting up a AP with 2 (or more) SSID, where one of the SSID is permissioned for the LAN and the other is a guest?

    You certainly don't achieve this by bridging… and unless that AP is VLAN-capable and can tag traffic per SSID, you need two separate APs on two separate physical interfaces for this (unless you want to do something stupid, like using the AP as router with double/triple... NAT).



  • :D when did everyone get bridge-happy?



  • @kejianshi:

    :D when did everyone get bridge-happy?

    Probably the same time people started to google to find out how to add a built in AP and only have what is available to read. It would be useful for a sticky or some form of documentation for this so it is correctly done - so far there has been nothing (here or otherwise) for this or am I looking in the wrong place?



  • Oh - Its because of the bad choice to go with a built in AP.  Then one mistake leads to the next?



  • Here is some information on the "Standalone" method without the need for a bridge. This method is required for a pfSense based Access Point -Captive Portal- as they do not allow bridged interfaces with Captive Portal.

    http://www.interspective.net/2012/07/one-pfsense-wireless-config-to-rule.html



  • Everyone does realize:

    1.  There would be no need for any of this if you used and external AP

    2.  You would probably get much faster and more stable wireless using all the latest wireless protocols

    3.  1 and 2 aren't enough?



  • Well 802.11 has been built in to pfSense since 2004 and people been saying its broke ever since.

    Why do so many people ask "why" in  regards to something that has been built in forever? I don't get it. This is open source. Think different. ie cheap.

    I think pfSense wireless works superb. Maybe not for big setups, but for home use.

    Back on topic i have to disagree with info contained in this post here. You can do this with one physical wireless interface. You can create 8 separate Access Points with one module. The only kicker is they must all be in the same band, either 2.4ghz or 5ghz. Not both

    For example Main wlan0 on 5ghz with own SSID and Guest wlan1 on 5ghz with own SSID.
    Totally doable, rules for each interface must be applied. See the wireless tab under interfaces.



  • How much does one of those cards plus some antennas cost?  What modes and speed are supported reliably?



  • Well the atheros driver is working well so anything on thier list. Ar5BXB112 is around 12 bucks and 450M rate. I dont have any 3X cleints to test 450M yet. Still needing to do some laptop antenna mods for 3X MIMO.

    They sell dipole antennas for 3-5 bucks each. rp-sma to u.fl pigtails around the same.

    I should note -on my above instructions- that different rules would be needed for the main and guest networks so your LAN remains unexposed.



  • @Phishfry:

    Here is some information on the "Standalone" method without the need for a bridge. This method is required for a pfSense based Access Point -Captive Portal- as they do not allow bridged interfaces with Captive Portal.

    http://www.interspective.net/2012/07/one-pfsense-wireless-config-to-rule.html

    Thanks for pointing me to a resource and the right direction. Really appreciate the help.



  • So once you get one wireless network up with the rules correct and working then setup the guest network. I would also spread the channels out to lowest and highest to add separation of different signal best you can. With that in mind i would only do 5ghz.

    Note this link is only one persons way of doing the filtering. I am see there are other ways  to apply rules while researching pfsense guest wireless..



  • Here is another approach. Forget that its an external AP, rules are rules. OPT1 internal or external -it don't matter for rules.

    https://oitibs.com/pfsense-guest-wifi-alt-setup/



  • I need to correct my post above. It is only possible for 4 separate Access Points from one miniPCIe module. One main and three clones under the wireless tab. All can use separate channels. All must be in either 2.4 or 5ghz band not both.



  • Thanks - managed to get it to work WITHOUT a bridge. And also get a guest WLAN on the same single card setup and isolated from the LAN.


  • LAYER 8 Global Moderator

    @doktornotor:

    P.S. For goddamn sake, someone remove this bridge usage "example"/"suggestion" from the wiki.  >:(

    What do you want edited/remove dok

    I was searching through the docs and found this

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used

    So I edited the portion that says bridge lan to wireless to

    Bridging a wireless interface to a LAN - Not a good idea, Don't Do This!

    Point me to what else you think is wrong and be happy to edit/delete


  • LAYER 8 Netgate

    If you want a wireless card and your LAN to be on the same subnet/broadcast domain you have no choice but to bridge them.



  • Before changing the manual why don't we fix the problem, I don't see any bug reports quoted or actual broken code.

    Seems bridging is OK for transparent proxy bridge and untangle bridge, but not for wireless. I still am wondering exactly what the problem is, before condemning it.

    I actually had a hard time finding instructions to provide for a bridge-less wireless setup for this user.

    Seems like 95 percent of the web tutorials for wireless uses the bridge method.
    Could all them be wrong?

    I am new here so please ignore my ignorance.


  • LAYER 8 Netgate

    Do you have an extra OPT port to get access to pfSense while you create the bridge.  Use WAN if you have to.  It's hard to create these without blowing up your access over the interfaces you're working with.



  • I do know of one caveat of using a bridge. The ability to receive individual port statistics or graphs is lost due to the funnel like approach of the bridge. Overall traffic figures for the bridge are available. This condition only matters when the bridge has more than 2 members.



  • So really the issue is more related to setting up the bridge and not how it works.

    Are there any security concerns when combining interfaces into a bridge? With 3 members i wonder about Layer2 packet routing between bridge members.


  • LAYER 8 Global Moderator

    "If you want a wireless card and your LAN to be on the same subnet/broadcast domain you have no choice but to bridge them."

    Sure – but why would you not just us an AP and there you go on the same broadcast domain if you want.  Why would you want them on the same broadcast domain is the other question.  But sure if your wanting to use a wireless card in pfsense as your AP (performance/features suck - no offense pfsense team) and you want to bridge that then sure.

    When you can use a 20$ wifi router as an AP that will have way better performance and coverage area than any wifi card you might have in your pfsense box..  Why would anyone do that?  Why??

    While its great there is some support for it - it sure an the hell can not be the preferred setup to run wifi on a network..


  • Banned

    @johnpoz:

    So I edited the portion that says bridge lan to wireless to
    Bridging a wireless interface to a LAN - Not a good idea, Don't Do This!

    Thanks.  8)

    Perhaps you should rather ask the people here who keep bridging everything starting with from WLANs, continuing with OpenVPN and ending with their coffee maker and often mention they have followed "the docs" or some "howto" about where did they get the idea… because I just don't get it, seems like a mania lately.



  • OK i find myself answering the "why" question again.
    My first entry into pfSense was a Steelhead Rivedbed 100/Axiomtek. It was swell for about 2 months. Then i graduated to an Astaro ASG110 Atom box. Much nicer. But what to do with my old hardware? I drilled two antenna holes in it, and plugged an Mini-PCI wifi card I had from my laptop repair work. So total cost was pigtails and antennas. Instant AP with it hanging off an interface on my Astero. I had just bought a Dell tablet so it all worked great for me.

    The features we are discussing here have been baked in since forever. So to question "why" goes completely against the grain of open source.  Ease of setup may be lacking but it works very well for me.

    Now in saying that -I understand your frustrations of helping people who can't seem to read the docs or research the topic better.

    I will concede that building a bridge may require a physical cable swap and lockout is possible.
    Much of that has been fixed by allowing ath0 interface assignment from the console.

    I don't mean to be such a cheerleader but when you have something working while others are saying it's broke deserves a response.



  • @johnpoz:

    I was searching through the docs and found this

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used

    So I edited the portion that says bridge lan to wireless to

    Bridging a wireless interface to a LAN - Not a good idea, Don't Do This!

    Point me to what else you think is wrong and be happy to edit/delete

    The problem isn't bridging but trying to assign LAN to the bridge interface without really knowing what you're doing. Incorrect blog posts don't help.

    You make it sound like bridges don't work, when they do.

    Bridging is simple if you always have a switch connected to LAN that keeps the interface up instead of messing with reassignment of LAN. I think you have bigger problems than losing a bonus AP (which you should only be running at home) if you lose the switch.


  • Rebel Alliance Developer Netgate

    There is nothing wrong with bridging in the proper circumstances if you're aware of what is going on. Bridging wireless to LAN, though not ideal, is fairly common and rarely a source of actual problems. Mostly the problems come from foot-shooting related items or trying to do things that just aren't feasible with a bridge.

    If you connect to the firewall from WAN (in a lab/dev setup) or a wired OPTx, it's fairly easy to swap things around to have the LAN be bridge0 with WLAN and WiredLAN also assigned but without IP addresses.

    Trying to reassign LAN while managing the firewall from LAN, that's a recipe for disaster.



  • So I did setup my WLAN with separate subnets. One internal with access to LAN and one guest SSID with only internet access. This all works great and no need for a bridge.

    Now I have being setting up pfSense slowly adding functionality I need and then stabilising until the next piece. Then got a to a real use case for why I now need a bridge. Tried out my Sonos sound system and for an unknown reason (to me) it does not work across subnets. Will take the above advice about creating a subnet and using the WAN side to not lose connectivity when creating.

    Quick question - I know I can't assign a newly created BRIDGE0 (containing LAN and WLAN) to LAN again. So would the following work? Assign BRIDGE0 to OPTX, rename LAN to WIRED (for exampled), then rename OPTX to LAN. Would my firewall rules for LAN remain intact and work against the bridge (assuming I also make the changes to system tunables).


  • LAYER 8 Netgate

    First, I don't understand.  Put your Sonos on LAN and you're done.

    Or do you either need Sonos on your wireless or need to control Sonos with wireless devices and now need to take your guest SSID, throw it out the window, and use the Wi-Fi on LAN and you don't want to do the right thing and just buy an AP?

    You have LAN, WLAN and OPTX and you want to bridge LAN and WLAN and assign the resulting bridge on LAN?

    • Configure OPTX with an unused subnet, set rules, connect a computer to it and access the webGUI from there

    • Set the IPv4 address on WLAN to NONE

    • Create a bridge containing only WLAN

    • Assign LAN to the new BRIDGE0

    • Create a new interface using the newly-available ethernet interface that used to be LAN

    • Add the new interface to the bridge

    • All of your existing LAN config, rules, etc should be intact.

    I didn't go into all the pfil_bridge sysctls since they're all covered elsewhere.



  • The sonos system requires (from what I have read and a google shows) that the system requires all components to be on the same subnet. This involves at least one component to be on the LAN. Then it creates its own mesh network across wireless. The controller (iPhone, Android) will need a wireless connection to 'discover' the system and control it - there is no controller that utilises a LAN connection. I suspect there is some multicast issue where there is an expectation of components to be on the same subnet during the discovery phase (this is pure speculation from what I read and I have not analysed any packet capture etc - this being out of my depth).

    Therefore the need for a bridge to manage the WLAN and LAN on the same subnet without an AP.



  • Hi Everybody
    Internet Connection Sharing (ICS) "Windows Term"
    I Have not used pfSense but I would like it if somebody could tell me if my configuration would work.

    My friend lives 2 houses away from me and we have a very good WiFi link already established.
    Using Windows (ICS) on a PC I am connected to his WiFi modem/router and internet traffic is transferred trough the Ethernet port on my machine to my Client.
    It isn't perfect but It's better than i first expected it would be.  Currently I have only one computer connected to my ICS machine at a time but i want to change that.

    • I would like this to be a DHCP setup on both ends but a static connection between them. (already configured like this on ICS.

    • I want to be able to wake the machine over the internet so i can use it when i need to access my CCTV and turn it off to save power. (This is why telnet enabled on 10.0.0.137)

    • If I cached websites in pfSense would his router load them on his computer because they always check local before DNS.

    Probably enough info for now, any advice appreciated.  :)
    http://picpaste.com/pics/Wireless_Network-VAnOUG9G.1428306219.png


  • Banned

    @Scanner:

    Hi Everybody
    Internet Connection Sharing (ICS) "Windows Term"
    I Have not used pfSense but I would like it if somebody could tell me if my configuration would work.

    Please, do not multipost.


Log in to reply