How to get LAN talking to Wi-Fi over Bridge?



  • Hi there, first post, and like the screen name says, I'm a n00b with pfSense.  I wasn't entirely sure which subforum to post this in either, so I picked General.

    I set up pfSense 2.2.6 on a laptop to test with and do a down-and-dirty project.  It's mostly working the way I want, but I can't figure out this last piece.  I've come across other people asking about this, and I was not able to decipher their stated resolutions.

    The setup:
    Compaq laptop with onboard Ethernet, Wi-Fi; and a USB Ethernet adapter.
    Onboard Ethernet is WAN
    USB Ethernet is LAN and connected to an 8 port gigabit switch.
    Wi-Fi is set up in station mode
    DHCP is working on LAN and Wi-Fi

    The WAN port sends all traffic out to a commercial VPN.  That works from LAN and Wi-Fi.  The clients connected to LAN and Wi-FI are supposed to be bridged, but neither one can communicate or ping the other.  My problem is that I cannot figure out how to make the LAN and Wi-Fi clients able to communicate with each other.  I have a Raspberry Pi on the LAN and I'd like to configure to the Wi-Fi with my laptop to configure and manage the Raspberry Pi.

    I've seen solutions that say to address this with NAT and/or Firewall rules, but I think I broke things trying to implement Firewall rules.  The morning after messing with the rules, now the Wi-Fi is not broadcasting.  I have a backup of the settings, so I will restore to a known working config.  However, I don't know how to configure pfSense to let LAN and Wi-Fi talk to each other.

    Is there a how-to article you might be able to point me to?  I don't understand why 2 interfaces bridged together can't communicate with each other.  That seems counter intuitive to me, a pfSense n00b.



  • I don't understand why 2 interfaces bridged together can't communicate with each other.  That seems counter intuitive to me, a pfSense n00b.

    Route where you can and bridge only if you must.

    • Are at the WiFi "client isolation" is activated?
    • What you was bridging together exactly and why?
    • Why not 172.xx.xx for the LAN and 192.xx.xx for the WiFi.
    • What is not the problem having two different networks and route between them?


  • 1 Are at the WiFi "client isolation" is activated?
    2 What you was breidging together exactly and why?
    3 Why not 172.xx.xx for the LAN and 192.xx.xx for the WiFi.
    4 What is not the problem having two different networks and route between them?

    1. No
    2. I want to bridge the WiFi to the LAN, just like a SOHO router would do.  There is a machien on teh LAN that I want to manage from the WiFi
    3. Why would I want to do that?
    4. That's overly complicated.  I haven't found any settings about how to route anything in pfSense.

    I don't like that there are many half baked articles that all go through these settings and no one ever gets it working the same way twice, and the people trying to get it working are having to dodge people telling them to not use bridging.  Does bridging in pfSense not work? Is it not supported?  If it doesn't work or it's not supported, why has it not been removed?  The passive aggressive bait and switch is really annoying.

    Keep in mind, what is simple for an experienced network admin (setting up routes) who is used to managing an enterprise grade firewall network system is different than the home user who wants a better router and or to learn more advanced networking.

    /rant

    I have found several articles and managed to follow all of them without getting the bridge to work.  I got the brigde an IP address and it gives out DHCP addresses and I can access the 'net and it still goes through the OpenVPN, but I still can't communicate from LAN to WiFi.

    https://forum.pfsense.org/index.php?topic=20917.0
    https://forum.pfsense.org/index.php/topic,12101.0.html
    http://www.cyberciti.biz/faq/how-to-pfsense-configure-network-interface-as-a-bridge-network-switch/
    https://forum.pfsense.org/index.php?topic=107676.0



  • @pffffSensing-N00b-3485901:

    1 Are at the WiFi "client isolation" is activated?
    2 What you was breidging together exactly and why?
    3 Why not 172.xx.xx for the LAN and 192.xx.xx for the WiFi.
    4 What is not the problem having two different networks and route between them?

    1. No
    2. I want to bridge the WiFi to the LAN, just like a SOHO router would do.  There is a machien on teh LAN that I want to manage from the WiFi
    3. Why would I want to do that?
    4. That's overly complicated.  I haven't found any settings about how to route anything in pfSense.

    1. Good
    2. Except for the minor detail that a "SOHO router" typically has dedicated internal hardware that acts just like your external Gigabit switch.
    Do any of your NIC cards have that? (likely not).
    3. This is to avoid having to bridge and at the same time giving you added security in the ability to isolate your WiFi traffic. You might not care about this.
    4.  It's complicated if you're not thinking along the lines described in 3.  As far as 'routes' in this scenario, you wouldn't setup a route, you'd setup a firewall rule that allows traffic from LAN to OPT1 (the two different NICs involved).

    Without resurrecting the plethora of discussions on bridging, vs switches, etc,etc.etc.
    In the scenario you're describing, just plug your WAP into your LAN switch and keep your extra NIC as a spare or for the future when you need a DMZ, extra subnet, what have you.
    The long and short is that it's a WAAAAY more efficient solution than trying to use software (pfSense) to emulate a hardware solution (your external switch or the one built into your SOHO router).  If you're out of ports on your external switch, spend $25 (or less) and buy another external switch, still much cheaper and more effective to solve this problem.

    pfSense is not a switch, you can try and make it ACT like one through bridging, but that's not a great use of your resources (so says our Collective Humble Opinions on this forum).

    Feel free to take this advice or ignore it and go your own way, it's worth what you pay for it…... ;)

    Edit:
    Sorry, had a chance to re-read your original post and I see that your "WAP" is an internal WiFi NIC.
    If you're stuck with that gear then you're stuck trying to get bridging to work.
    Unfortunately, most all of my original comments stand, this isn't going to be a great solution IMHO.
    It can be made  to work, but it's not necessarily easy, and I'd personally look for a cheap external WiFi Router/WAP and use that for WiFi (as much as it means "wasting" your internal card")


  • LAYER 8 Netgate

    Most of the problems setting this up stem from people trying to set up the bridge and getting locked out.

    I'll try to do something on it tonight. I happen to have a spare APU at the moment. It'll be a bridge of LAN and OPT1 since I don't have any Wi-Fi cards.

    Bridging works. It's generally a last resort. The use case of Wired and Wireless interfaces on the same broadcast domain is legitimate though it will almost certainly not perform as well as a proper LAN-attached AP.


  • LAYER 8 Netgate


Log in to reply