Wireless Not Filtering on Bridge0
-
For those adverse to bridging and wireless can turn away now…..!
Setup:
LAN: IP 192.168.1.254/24 assigned to RE1 port
WIFI: NONE assigned to WLAN0_ATH0 wireless card
BRIDGE: NONE (contains LAN and WIFI) assigned to BRIDGE0System Tunables:
net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 1DHCP server on LAN, wireless clients can get a DHCP address fine.
LAN has a rule to route traffic through a VPN - this works for wired clients on the LAN network - some reason not hitting the BRIDGE ruleset (currently allows everything everywhere)
However, my problem is that wireless clients hits the WIFI tab in the firewall rules and not the BRIDGE or LAN rules (I know this as I can see a bunch of rules hit on the WIFI in the firewall logs and when doing packet capture on the WIFI interface).
Where have I gone wrong? Or how do I track this down?
-
Sigh, Assign the bridge to LAN.
-
Interfaces > (assign)
LAN –> BRIDGE0 -
When I setup the bridge - I found I couldn't do that (assign bridge to the LAN) as the LAN was part of the Bridge. Guess I have to start from scratch and not assign a interface to the LAN at the start.
-
Just done this on a new pfsense build using a pcengines APU board with 3 nics. You have to have a spare NIC, or config via the WAN port in order to bridge the internal ethernet and wifi. You basically need to keep the interface you ultimately want as your LAN/BRIDGE unconfigured initially, and do all the setup work using a different (spare) interface. This was the only way I could get it to work. I was configuring on a box with 3 NICs, so it was fairly easy as there was a spare.
You could probably also edit the config by hand, but I don't think this is supported and might cause other issues.
I know a lot of people say "put WIFI on it's own subnet", but tbh it makes a lot of SOHO stuff a lot more complex to configure. Classic example is ios/apple/itunes wifi sync with a PC on your LAN. Normally this all works via bonjour broadcasts, but placing the wifi on a seperate subnet stops all this traffic by default and you need to start setting up multicast routing to get it working again. I know it's more secure on a company network to subnet everything (best practice), but for home applications with a sufficiently strong WPA passphrase, bridging is fine. Seems to work perfectly on pfsense too as long as you set the 2 system tunables you mention.
Best option is to use a dedicated access point of course, but it's nice having an all-in-one box rather than a corporate comms room starting to form in your house. ;)
-
@ak:
When I setup the bridge - I found I couldn't do that (assign bridge to the LAN) as the LAN was part of the Bridge. Guess I have to start from scratch and not assign a interface to the LAN at the start.
I think you more likely couldn't make LAN a bridge member because it was assigned to LAN. Easiest thing is to make the bridge from a completely unrelated interface.