Configuring IP on Bridge vs on Physical Port
-
Hello Professionals,
I would like to understand ACL of firewall clearly, so it would very appreciate if you share your opinions.
Here's the thing:
- Provide IP address to physical port (e.g. OPT1) and make a bridge with physical port OPT2.
- We can create rule on a new tab (=BRG1), if we set pfil.bridge=1, pfil.member=0.
- Make Bridge with OPT1 and OPT2 without IP address, and provide IP address to BRG1.
My theory was both are working same.
Could it be existed any difference? If the ACL working same, would it be any concerns in terms of management?Thank you for your time.
-
@eeebbune really good question. I am actually using your option 2 (slightly more advanced) and it works fine (so far).
My set up is like this:
If 1: WAN (to ISP)
If 2: LAN (no IP)
If 3 and 4: LAGG0 (LACP)
VLAN10 on LAGG0 (no IP)
VLAN20 on LAGG0 (192.168.66.1/24)
VLAN30 on LAGG0 (192.168.96.1/24)
Bridge0: LAN,VLAN10 (192.168.69.1/24)My firewall rules are all on Bridge0 tab and LAN and Vlan10 are empty
-
@Spider_VL Hello! Thank you for your comments.
May I ask why you provide IP to bridge0? is there any specific reason?
-
@eeebbune there is no particular reason other than me using pfsense for 1st time and trying to build "bit more complicated network".
I have a switch I want LACP LAG to with 2 physical ports and switch role is to divide between these 3 vlans to appropraite devices. at same time I wanted my PC to be directly connected to my Pfsense as my pfsense device have 2.5Gb ports but switch have only 2.5g on 2 ports (uplinks to pfsense) all other are 1Gb (pure vanity for my gaming pc :D ).
So I started to test different aproaches and keep having issues with this setup details here: https://forum.netgate.com/topic/199635/dhcp-not-working-over-vlan-trunkTLDR; That was the last configuration I had when I realized my issue with laptop and it stayed that way
-
@eeebbune Just one note for future. If you usged the wizard and your "LAN" is OPT1 you get thes "anti Lockdown" rule assigned to it. If you decide to do scenarion with BRG1 to have the IP address I would recommend you add a rules from Bridge Interface to firewall itself 22/443 and make sure its (any) direction:
I was testing bits and move all rules to "floating" so its easier to see / manage.So I added int BRD1 subnet_brd1 to any (out only) and deleted the default any to any from Brd1 interface and that locked me out from accessing firewall.
Currently I have this:
and deleted all other rules from all other tabs (lan, vlan10, bridge0) and it still all works. Currently all these rules have "direction" any but I want to test bit more with just "out" and "in" - shame it does not show this on summary.Still learnign all this different aproaches and floating rules so maybe I misunderstood something but thought I will share just in case
-
@Spider_VL Thank you for sharing your configuration. Since I’m still practicing, firewall operations can be a bit confusing, but I agree that testing different in/out directions in Floating rules is a crucial point.
Currently, I’m testing communication between sub-interfaces across two separate bridges (each consisting of two interfaces). I found that the traffic only flows correctly and shows a state once I declare the rules in the Interface Group(bridge0+bridge1) not Floating tab. It seems the directionality of in/out is indeed key. Thanks again for the advice.
-
@eeebbune I did look into these flaoting in/out and found an old video that explained it a bit. Makes more sense now. Its IN/OUT form perspective of interface itself not "firewall" as I assumed originally.
This images kind of describe it best:
-
@Spider_VL
This is a really helpful resource! Thank you for sharing it. I think I’ll refer to this diagram whenever I get confused while working in the lab. Understanding how direction works in floating has been really challenging for me, so I’ll study it more using this figure. Thanks again.