• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Wireless Not Filtering on Bridge0

Scheduled Pinned Locked Moved Wireless
6 Posts 4 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    ak
    last edited by Apr 28, 2015, 7:40 PM

    For those adverse to bridging and wireless can turn away now…..!

    Setup:

    LAN: IP 192.168.1.254/24 assigned to RE1 port
    WIFI: NONE assigned to WLAN0_ATH0 wireless card
    BRIDGE: NONE (contains LAN and WIFI) assigned to BRIDGE0

    System Tunables:
    net.link.bridge.pfil_member: 0
    net.link.bridge.pfil_bridge: 1

    DHCP server on LAN, wireless clients can get a DHCP address fine.

    LAN has a rule to route traffic through a VPN - this works for wired clients on the LAN network - some reason not hitting the BRIDGE ruleset (currently allows everything everywhere)

    However, my problem is that wireless clients hits the WIFI tab in the firewall rules and not the BRIDGE or LAN rules (I know this as I can see a bunch of rules hit on the WIFI in the firewall logs and when doing packet capture on the WIFI interface).

    Where have I gone wrong?  Or how do I track this down?

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Apr 29, 2015, 8:27 AM

      Sigh, Assign the bridge to LAN.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Apr 29, 2015, 9:01 AM

        Interfaces > (assign)
        LAN –> BRIDGE0

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          ak
          last edited by Apr 29, 2015, 9:15 AM

          When I setup the bridge - I found I couldn't do that (assign bridge to the LAN) as the LAN was part of the Bridge. Guess I have to start from scratch and not assign a interface to the LAN at the start.

          1 Reply Last reply Reply Quote 0
          • I
            iso70x
            last edited by Apr 29, 2015, 1:49 PM

            Just done this on a new pfsense build using a pcengines APU board with 3 nics.  You have to have a spare NIC, or config via the WAN port in order to bridge the internal ethernet and wifi.  You basically need to keep the interface you ultimately want as your LAN/BRIDGE unconfigured initially, and do all the setup work using a different (spare) interface.  This was the only way I could get it to work.  I was configuring on a box with 3 NICs, so it was fairly easy as there was a spare.

            You could probably also edit the config by hand, but I don't think this is supported and might cause other issues.

            I know a lot of people say "put WIFI on it's own subnet", but tbh it makes a lot of SOHO stuff a lot more complex to configure.  Classic example is ios/apple/itunes wifi sync with a PC on your LAN.  Normally this all works via bonjour broadcasts, but placing the wifi on a seperate subnet stops all this traffic by default and you need to start setting up multicast routing to get it working again.  I know it's more secure on a company network to subnet everything (best practice), but for home applications with a sufficiently strong WPA passphrase, bridging is fine.  Seems to work perfectly on pfsense too as long as you set the 2 system tunables you mention.

            Best option is to use a dedicated access point of course, but it's nice having an all-in-one box rather than a corporate comms room starting to form in your house.  ;)

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Apr 29, 2015, 5:22 PM

              @ak:

              When I setup the bridge - I found I couldn't do that (assign bridge to the LAN) as the LAN was part of the Bridge. Guess I have to start from scratch and not assign a interface to the LAN at the start.

              I think you more likely couldn't make LAN a bridge member because it was assigned to LAN.  Easiest thing is to make the bridge from a completely unrelated interface.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received