Pfsense Bridging

This post is about pfsense bridging.

Normally each interface on the pfSense® firewall represents its own broadcast domain with a unique IP subnet. In some circumstances it is desirable or necessary to combine multiple interfaces onto a single broadcast domain, where two ports on the firewall will act as if they are on the same switch, except traffic between the interfaces can be controlled with firewall rules. Typically this is done so multiple interfaces will act as though they are on the same flat network using the same IP subnet and so that clients all share broadcast and multicast traffic.

Creating a Bridge

In pfSense® software, bridges are added and removed at Interfaces > Assignments on the Bridges tab. Using bridges, any number of ports may be bound together easily. Each bridge created in the GUI will also create a new bridge interface in the operating system, named bridgeX where X starts at 0 and increases by one for each new bridge. These interfaces may be assigned and used like most other interfaces, which is discussed later in this chapter

To create a bridge:

  • Navigate to Interfaces > Assignments on the Bridges tab.
  • Click Add to create a new bridge.
  • Select at least one entry from Member Interfaces. Select as many as needed using Ctrl-click.
  • Add a Description if desired.
  • Click Show Advanced Options to review the remaining configuration parameters as needed. For most cases they are unnecessary.
  • Click Save to complete the bridge.

When done, it should look like this:

After that, assign an IP address (IPv4, minimally) to the bridge via the Interfaces >> BR0 menu:

Create Interface Group

Then, create an interface group including all NICs and the bridge interface . This will be used for LAN firewall rules. Use the menu Interfaces >> (assign) >> Interface Groups. Use the Add + button to add the group and select all interfaces you want as part of the bridge group, including the bridge itself, but do not include the WAN interface:

Add Firewall Rule

Next you need to add a firewall rule to allow traffic to flow amongst the interfaces of the interface group, as a single, unconstrained LAN. Select Firewall >> Rules >> Bridge and add a rule like this:

PfSense Bridging

then, assuming you want to run a DHCP server on your local LAN, configure the DHCP server on the Bridge interface via the menu item Services >> DHCP Server >> BR0 :

Remove IP address from EM1

Finally, as cleanup, you should remove the IP address from EM1. You may need to disable the DHCP server on that interface first. Select Interfaces >> EM1 :

So, enjoy it.

Website

Abdullah
Senior Devops Engineer

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

You might also likeRELATED

Pfsense High Availability

This post is about pfSense High Availability This recipe describes a simple three interface HA configuration. The three interfaces are LAN, WAN, and Sync. This...

Pfsense Bridging

This post is about pfsense bridging. Normally each interface on the pfSense® firewall represents its own broadcast domain with a unique IP subnet. In some...

Suricata Setup on pfSense

This post is about Suricata Setup on pfSense Install the Suricata Package pfSense provides a UI for everything. So from the admin page go to System -> Package Manager -> Available...