Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent Bridge - no IP addresses

    HA/CARP/VIPs
    1
    1
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maglaubig
      last edited by

      Is it necessary to put an IP address on a transparent bridge in order to filter or traffic shape on it?  Most configuration examples I've been able to find have an IP of some sort on the bridge.  Any attempts I've made to filter traffic with the firewall on the bridge interface or the sub-interfaces don't seem to work which is leading me to this conclusion.  Let's take HA out of the equation here, just looking for how to filter/traffic shape on a single pfSense system.

      I've seem some conflicting posts about needing to enable or disable a few system tunables:

      net.link.bridge.pfil_member
      net.link.bridge.pfil_bridge

      Are any of these actually needed anymore?  The post I'm referencing has a newer date than anything else and is here:  https://forum.pfsense.org/index.php?topic=64601.0

      @jimp:

      @btarrh:

      1. I start by successfully setting up my VLAN on the WAN and LAN from the initial CLI. I give my LAN and WAN different static IP's on the same subnet. I am able to successfully ping out
          from the WAN and access the GUI from the LAN.
      2. I enable the Filtering Bridge "System Tunables" -> net.link.bridge.pfil_bridge = 1

      That doc is old.

      #1 - never do that. Only ONE interface on a bridge should have an IP.
      #2 - don't do that either, it isn't doing what you think it's doing. The doc and the old advice are no longer relevant.

      Use or put a third NIC in the box for OOB management. It's extremely tough to work with bridging if you are managing the firewall from an interface being bridged.

      In the ideal scenario you'll have:

      LAN VLAN A – Bridge A (IP address on the bridge) -- WAN VLAN A
      LAN VLAN B -- Bridge B (IP address on the bridge) -- WAN VLAN B
      LAN VLAN C -- Bridge C (IP address on the bridge) -- WAN VLAN C
      LAN VLAN D -- Bridge D (IP address on the bridge) -- WAN VLAN D

      WAN and LAN VLANs would have an interface type of "none" (so no IP address on them). Bridge interfaces would be assigned and have the IPs configured there.

      Firewall rules would go on the WAN VLAN and LAN VLAN tabs for each individual VLAN.

      If you want to filter on the bridge interface, disable bridge member filtering, enable bridge filtering, and put the firewall rules on the assigned bridge tabs instead.

      Either way, unless you do all of that from a third interface unrelated to the VANs, you'll be in for a lot of avoidable pain.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.