This post is about pfsense bridging.
Normally each interface on the pfSense® firewall represents its own broadcast domain with a unique IP subnet. In some circumstances it is desirable or necessary to combine multiple interfaces onto a single broadcast domain, where two ports on the firewall will act as if they are on the same switch, except traffic between the interfaces can be controlled with firewall rules. Typically this is done so multiple interfaces will act as though they are on the same flat network using the same IP subnet and so that clients all share broadcast and multicast traffic.
Creating a Bridge
In pfSense® software, bridges are added and removed at Interfaces > Assignments on the Bridges tab. Using bridges, any number of ports may be bound together easily. Each bridge created in the GUI will also create a new bridge interface in the operating system, named
X starts at 0 and increases by one for each new bridge. These interfaces may be assigned and used like most other interfaces, which is discussed later in this chapter
To create a bridge:
- Navigate to Interfaces > Assignments on the Bridges tab.
- Click Add to create a new bridge.
- Select at least one entry from Member Interfaces. Select as many as needed using
- Add a Description if desired.
- Click Show Advanced Options to review the remaining configuration parameters as needed. For most cases they are unnecessary.
- Click Save to complete the bridge.
When done, it should look like this:
After that, assign an IP address (IPv4, minimally) to the bridge via the
Interfaces >> BR0 menu:
Create Interface Group
Then, create an interface group including all NICs and the bridge interface . This will be used for LAN firewall rules. Use the menu
Interfaces >> (assign) >> Interface Groups. Use the
Add + button to add the group and select all interfaces you want as part of the bridge group, including the bridge itself, but do not include the
Add Firewall Rule
Next you need to add a firewall rule to allow traffic to flow amongst the interfaces of the interface group, as a single, unconstrained LAN. Select
Firewall >> Rules >> Bridge and add a rule like this:
then, assuming you want to run a DHCP server on your local LAN, configure the DHCP server on the Bridge interface via the menu item
Services >> DHCP Server >> BR0 :
Remove IP address from EM1
Finally, as cleanup, you should remove the IP address from EM1. You may need to disable the DHCP server on that interface first. Select
Interfaces >> EM1 :
So, enjoy it.