Bridge+VLAN tagg

killmasta93

Hi,

So Im trying to change from DDWRT to pfSense completely, to do so im having a hard time on bridging + VLANS while  its a tad different on DDWRT.  My setup before was lSP modem–--Nighthawkr700 (DDWRT)-----UNIFI AP-LR. Then I grew fond of pfSense and went from lSP modem----pfSense------Nighthawkr700 (DDWRT)-----UNIFI AP-LR. I had it like this for awhile because I did the VLANS+ Bridging on the nighthawk. Now i want to do everything on pfSense See picture. Before I can VLAN i need to get the bridge correct which im not sure why its not working See picture. Im trying to bridge ufe0 (LAN) to another NIC (vr0) So when the Unifi AP connects it gives me 192.168.3.15 but I have no internet access.

Thank you

almabes

Why would you create VLANs only to bridge them?  That defeats the purpose of creating VLANs.  Just route between them, and add appropriate ACLs on your ingress interfaces.

almabes

I think I misunderstood you.  You're not wanting to bridge your VLANs together.  You want to create two VLANs on the vr0 interface and tag them appropriately.  You want to have the native VLAN bridged to the LAN interface.

I still wouldn't bridge the interfaces.  I'd just establish a new subnet and route through the firewall, unless you have some specific reason not to do so.  It gives you more flexibility.

killmasta93

Correct VLAN tagging i think i missed that out. I was wondering why not bridging them? I do it all the time on DDWRT or is not as stable on pfSense? Im getting DHCP from the bridge but not Internet.

I'd just establish a new subnet and route through the firewall

you mean not using /24 rather /28?

almabes

To be honest, I have not set up a bridge on pfSense.  I am too much of a control freak for that.  :o

If it were my network to provision and administer, I'd set up something similar to:

LAN–-------------pfSense--------------------WAN
                          |  |    |
                  OPT1 (physical)
    VLAN10    |VLAN20|    VLAN30
          |                |                |
PRIV_WIFI    GUEST_WIFI  PHONES_ETC
192.168.4.0/24
                      10.123.45.0/24
                                          192.168.5.0/24

I'd set up DHCP servers in pfSense on all the VLAN interfaces.  I'd override DNS on the guest wifi and push out something like 8.8.8.8 or openDNS servers or something.

I'd set up an allow any any rule on all the interfaces

Then I'd set up specific blocks, and allows on the guest and phones interfaces.

By not bridging, you'd keep internal Windows broadcast traffic from your LAN off the airwaves.

killmasta93

Very good setup.  ;D I guess I want to get bridging correct before I completely  leave DDWRT. I guess also I would like to learn how to bridge correctly on pfSense then tag them for testing purposes too. Ill keep you posted if I figure something out this week.

Thanks