Project

General

Profile

Actions
Copy link

Bug #16171

closed

Configuring a bridge on a base interface breaks bridges on VLAN interfaces on that interface

Added by Andreas Wuerl 8 months ago. Updated 8 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Interfaces
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
6100

Description

The basic usecase is using a second port on the firewall to connect another hardware switch distributing the internal network and VLANs on top of it.

Adding bridges for the VLAN interfaces works nicely following the documentation https://docs.netgate.com/pfsense/en/latest/bridges/interfaces.html (creating VLAN and interface for second port, creating the bridge, assigning the bridge, creating an interface for the first port, adding first port to bridge) but when adding the bridge for the internal non-VLAN network all other bridges stop working.

I'm aware that this could easily circumvented by adding a hardware switch in front of that one port, but the idea has been to save some energy and space by using pfSense bridging functionality.

Actions
Copy link
 #1

Updated by Andreas Wuerl 8 months ago

The detailed relevant configuration looks like this:

 LAN (lan)          -> bridge0 -> v4: 192.168.1.1/24
 DMZ (opt8)         -> bridge1 -> v4: 192.168.80.1/24
 LAN1 (opt18)       -> ix0     -> 
 LAN2 (opt17)       -> ix1     -> 
 DMZ1 (opt19)       -> ix0.80  -> 
 DMZ2 (opt13)       -> ix1.80  ->

and ifconfig shows this:

bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: LAN
    options=0
    ether 58:9c:fc:10:ff:b7
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.5 netmask 0xffffffff broadcast 192.168.1.5
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: ix1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 6 priority 128 path cost 2000
    member: ix0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    groups: bridge LOCAL
    nd6 options=1<PERFORMNUD>
bridge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: DMZ
    options=0
    ether 58:9c:fc:10:ff:ed
    inet 192.168.80.1 netmask 0xffffff00 broadcast 192.168.80.255
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: ix0.80 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 17 priority 128 path cost 2000
    member: ix1.80 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 22 priority 128 path cost 2000
    groups: bridge INTERNAL LOCAL
    nd6 options=1<PERFORMNUD>
ix0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: LAN1
    options=4e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 90:ec:77:34:9f:22
    inet6 fe80::92ec:77ff:fe34:9f22%ix0 prefixlen 64 scopeid 0x5
    groups: LOCAL
    media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause,txpause>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ix1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: LAN2
    options=4e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 90:ec:77:34:9f:23
    inet6 fe80::92ec:77ff:fe34:9f23%ix1 prefixlen 64 scopeid 0x6
    media: Ethernet autoselect
    status: no carrier
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ix0.80: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: DMZ1
    options=4600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 90:ec:77:34:9f:22
    inet6 fe80::92ec:77ff:fe34:9f22%ix0.80 prefixlen 64 scopeid 0x11
    groups: vlan INTERNAL LOCAL
    vlan: 80 vlanproto: 802.1q vlanpcp: 0 parent interface: ix0
    media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause,txpause>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ix1.80: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: DMZ2
    options=4600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
    ether 90:ec:77:34:9f:23
    inet6 fe80::92ec:77ff:fe34:9f23%ix1.80 prefixlen 64 scopeid 0x16
    groups: vlan
    vlan: 80 vlanproto: 802.1q vlanpcp: 0 parent interface: ix1
    media: Ethernet autoselect
    status: no carrier
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Actions
Copy link
 #2

Updated by Jim Pingle 8 months ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from Interfaces to Interfaces
  • Status changed from New to Rejected
  • Affected Plus Version deleted (25.03)

The configuration isn't just unsupported, it's not viable and even if it were, it's against best practices for security/safety.

You should not mix tagged and untagged traffic on the same ports.

Actions
Copy link
 #3

Updated by Andreas Wuerl 8 months ago

Jim Pingle wrote in #note-2:

The configuration isn't just unsupported, it's not viable and even if it were, it's against best practices for security/safety.

You should not mix tagged and untagged traffic on the same ports.

This is basically a trunk port which uses untagged (default VLAN for the network infrastructure) and VLAN tagging for traffic on the defined VLAN networks. All devices are connected to ports/WLAN which filters for the mapped VLAN.

In what way should such a setup be unsupported or against best practices for security?

Actions
Copy link

Also available in: Atom PDF