Transparent Bridge - no IP addresses



  • Is it necessary to put an IP address on a transparent bridge in order to filter or traffic shape on it?  Most configuration examples I've been able to find have an IP of some sort on the bridge.  Any attempts I've made to filter traffic with the firewall on the bridge interface or the sub-interfaces don't seem to work which is leading me to this conclusion.  Let's take HA out of the equation here, just looking for how to filter/traffic shape on a single pfSense system.

    I've seem some conflicting posts about needing to enable or disable a few system tunables:

    net.link.bridge.pfil_member
    net.link.bridge.pfil_bridge

    Are any of these actually needed anymore?  The post I'm referencing has a newer date than anything else and is here:  https://forum.pfsense.org/index.php?topic=64601.0

    @jimp:

    @btarrh:

    1. I start by successfully setting up my VLAN on the WAN and LAN from the initial CLI. I give my LAN and WAN different static IP's on the same subnet. I am able to successfully ping out
        from the WAN and access the GUI from the LAN.
    2. I enable the Filtering Bridge "System Tunables" -> net.link.bridge.pfil_bridge = 1

    That doc is old.

    #1 - never do that. Only ONE interface on a bridge should have an IP.
    #2 - don't do that either, it isn't doing what you think it's doing. The doc and the old advice are no longer relevant.

    Use or put a third NIC in the box for OOB management. It's extremely tough to work with bridging if you are managing the firewall from an interface being bridged.

    In the ideal scenario you'll have:

    LAN VLAN A – Bridge A (IP address on the bridge) -- WAN VLAN A
    LAN VLAN B -- Bridge B (IP address on the bridge) -- WAN VLAN B
    LAN VLAN C -- Bridge C (IP address on the bridge) -- WAN VLAN C
    LAN VLAN D -- Bridge D (IP address on the bridge) -- WAN VLAN D

    WAN and LAN VLANs would have an interface type of "none" (so no IP address on them). Bridge interfaces would be assigned and have the IPs configured there.

    Firewall rules would go on the WAN VLAN and LAN VLAN tabs for each individual VLAN.

    If you want to filter on the bridge interface, disable bridge member filtering, enable bridge filtering, and put the firewall rules on the assigned bridge tabs instead.

    Either way, unless you do all of that from a third interface unrelated to the VANs, you'll be in for a lot of avoidable pain.


Log in to reply