Creating a Simple pfSense Bridge

Submitted by chris on Tue, 03/15/2016 - 02:11

Bridges are bad, mkay? A good rule of thumb is switch when you can, bridge only if you must. You will generally find little support for bridging multiple wired interfaces to create a "switch." The pfSense® software is not a switch. Buy a switch. Switches have custom hardware and ASICs to forward frames between ports. On pfSense this is all done in software.

Sometimes bridging pfSense interfaces makes sense, like to put a wireless interface in the same broadcast domain as a wired interface. You will generally find little support for this as well since a wireless access point on your LAN will almost certainly perform better. But if you must bridge, this is one way to do it.

This is the starting point of the network. It is a basic fresh install of pfSense 2.3 with static WAN addressing on a PC Engines/Netgate APU.

This is the desired end result.

This walkthrough assumes the user wants interfaces re0 and re2 to be in the same broadcast domain. This will give the same functionality as the LAN switch ports on a typical blue-box router, though, as mentioned before, all forwarding will be done in software instead of hardware. If you are bridging a wireless interface, just substitute it for re0 and get a working wireless network running on it first. When creating the bridge you will get locked out of the LAN (re2) port and will need to connect to the wireless to finish the configuration.

With pfSense bridging there are some kernel parameters that must be adjusted.

System > Advanced > System Tunables

These must be changed from the default:

net.link.bridge.pfil_member = 0

net.link.bridge.pfil_bridge = 1

Change them both and Apply Changes.

The kernel parameter net.link.bridge.pfil_member dictates whether pf rules are applied on bridge member interfaces. The kernel parameter net.link.bridge.pfil_bridge dictates whether pf rules are applied on the bridge interface itself. With these settings, rules on OPT1 (re0) and OPT2 (re2) will be ignored. Rules on LAN (BRIDGE0) will be honored. So OPT1 and OPT2 will freely communicate like ports on an unmanaged switch.

The OPT1 (re0) interface is not known to pfSense yet so it must be added.

Interfaces > (assign)

Available network ports: re0  Add

OPT1 is created.

Interfaces > OPT1 Check Enable. No other interface options should be set.

Save and Apply Changes

Now a bridge must be created. This is where most people run into trouble because they are making layer 1 and 2 changes to the same interface they are connected into and they lock themselves out.

Interfaces > (assign), Bridges tab  Add

 Add Member

Member Interfaces: Select OPT1

Save

Interfaces > (assign)

Change LAN's Network port from re2 to BRIDGE0

Save. Note that all of your LAN settings such as firewall rules and DHCP server settings move automatically to BRIDGE0.

At this point access to the firewall will be locked out. The management device needs to be moved from LAN (re2) to OPT1 (re0). If you are bridging a wireless interface, you would connect to the wireless network instead.

Reload the browser on 192.168.1.1

re2 will now be unassigned and will be available for bridging.

Interfaces > (assign)

Available network ports: re2  Add

OPT2 is created

Interfaces > OPT2 Check enable . No other parameters need to be set. Save and Apply Changes.

Interfaces > (assign), Bridges tab

 Edit BRIDGE0

Member Interfaces: Select both OPT1 and OPT2 (Ctrl-Click in Windows, Command-Click on Mac) Save

And you're done.

Interfaces > (assign)

LAN Configuration