OPNsense Forum
English Forums => General Discussion => Topic started by: spidysense on May 04, 2016, 04:38:36 am
-
I have been looking for some good instructions on how to set up a bridge to have multiple NICs to act like a router (Bridge the interfaces to act like a switch, like on a SOHO router). The OPNsense guide doesn't really have much on setting one up, only a transparent filtering bridge (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html?highlight=bridge).
I tried using these instructions for creating a bridge which is for PFSense. The process is nearly identical if not the same as OPNsense on how to Bridge Multiple Lan ports/NICs to act like a router (https://www.all4os.com/router/bridge-multiple-lan-portsnics-to-act-like-a-router-in-pfsense-2-1.html).
My setup looks like this:
0 WAN, 1 LAN, 2 NIC, 3 NIC - I want to get NICs 2 & 3 on the same network as the LAN and lease out IPs on the same network: 192.168.1.2-192.168.1.255.
It seems I cannot get the bridge/NICs to function properly. I can get DHCP to work where other PCs are issued IP addresses but no WAN.
Are there any instructions for this specifically for OPNsense?
-
Hi there,
Biggest question is how is your layout... how many networks bridged, is WAN part of the bridge, etc. DHCP may give you the wrong gateway if not configured differently.
Bridging per se is not routing, you let your interface(s) act as a physical switch. Normally, routing is achieved by just adding the interfaces and then allowing all traffic between them, setting additional routes as needed. There should be no need for a bridge in a routing-centric setup. :)
Cheers,
Franco
-
Your requirement is somewhat confusing. If you want to bridge multiple NIC its better to use switch b/w OPNSense and clients for better management.
The documentation is required some improvements it seems. The scenarios where bridge filtering mode is applicable and what features will be available with bridge filtering mode should also be included.
-
My setup looks like this:
0 WAN, 1 LAN, 2 NIC, 3 NIC - I want to get NICs 2 & 3 on the same network as the LAN and lease out IPs on the same network: 192.168.1.2-192.168.1.255.
-
Can you please share some more information how you have done routing and nat on your box? if DHCP is assigning IP to your clients it mean bridge is working.
-
I believe what he means is "how does he bridge the interfaces to all act like a switch" such as you would find on a SOHO router...
;)
-
Correct. I want to Bridge the interfaces to act like a switch.
-
Standard answer:
Use a switch, much cheaper and INTENDED to be used as a switch. Interfaces at your router are a powerful tool, would use it as such... :-)
http://www.tp-link.com/lk/products/details/cat-4763_TL-SG108.html
-
Answering the OP's (old) question:
To bridge 2 NICs you have to define an interface for each NIC, for example NIC2 and NIC3. I found that you can have mixes of IP v4 configurations: NIC2 with a fixed address and NIC3 with "None", or both NICs with a (different) fixed address.
As Franco warned, when you assign a fixed address to both, you can also tell DHCP to listen to both interfaces and it can issue leases on both interfaces. However... here I was surprised... it only reports the leases on ONE of the interfaces (the last of the members).
-
I am going to be doing something like this soon with some 10Gbe cards so I can add a couple 10G connections to my network for my FreeNAS and my Desktop to use but would rather buy a couple extra Melanox cards (about 30 bucks) than to spend 300 on a switch when I have multiple PCIe slots open on my OPNsense box anyway. The rest of the network is going to stay with 1Gb for now but I will still need that to all be able to connect to the FreeNAS.
If I bridge the interfaces will I need to add any rules so that the systems that are on the Melanox cards can deal with the rest of the network. I already have my FreeNAS setup with a static IP address but should I be doing the same with my desktop? I am more of a hardware guy but with a little help I can usually figure things out with software.
I am sure now that the Melanox 10Gbe cards can be found for around twenty bucks a piece that this will become more and more useful at least until the cost of the switches drops down to a decent price range.
-
Success. For anyone interested I found some directions and they worked perfectly. This post is coming from a bridged 10G X2 plus 1G LAN network.
Credist go to https://forum.pfsense.org/index.php?topic=48947.0
This is the instructions and are designed for pfSense but work with a few differences in spots of where the tunables are etc.
1. Assign your additional interfaces and enable them with type 'none'. They will come up as OPT1, OPT2 etc.
2. Switch bridge filtering from the bridge members onto the bridge itself (assuming you don't need to apply firewall rules between devices on the bridge/switch). Go to System: Advanced: System Tunables: and edit the two values.
Change net.link.bridge.pfil_member to 0.
Change net.link.bridge.pfil_bridge to 1.
Apply these changes.
3. Now create a bridge in Interfaces: (assign): Bridges: and add to it the additional interfaces you just created, you can select multiple interfaces by holding Ctrl. I named the bridge 'Switch Configuration' to remind me how I have configured it.
4. Now go to Interfaces: (assign) and change the LAN assignment to bridge0. Save and reconnect your ethernet cable to one of the bridge interfaces. It should come back up, however you will want to make sure you have console access before you do this as if you've done something different you could end up locked out! ;)
5. Assign the interface that was originally assigned to LAN and enable it with type 'none'. Add it to bridge0 to include it in the 'switch'.
After step 3/4 are done REBOOT. The bridge should be working.
-
Hello all,
I know this is an old thread, but hope resurrecting from the dead wont harm anyone.
I am trying to accomplish something similar as the OP.
My router has a total of 3 interfaces:
- igb0: that physical interface is connecting to the WAN, there is no question at this part
- igb1: that physical interface was formerly configured as THE "LAN" interface. This interface connects to a L2 switchport, and has been configured with a static IP for example 10.0.0.1 (the LAN subnet is for example 10.0.0.0/24). All clients reach the internet through the L2 switchport conecting to the routers igb1 interface
- igb2: that physical interface was never used, and as a result never created, e.g. its not listed in the interface list
But, now I have to implement a new change: enable igb2 (called OPT1 in the interface list). Connect a PC to igb2, that should be part of the same 10.0.0.0/24 LAN as the rest of the network behind igb1. This new PC should also be able both to reach internet through the router. Existing users should reach the router through the same "igb1" interface, as before.
Unfortunately connecting this PC to the existing L2 switch on an unused switchport is not an option. I thought a virtual interface called "bridge0" setup as "Other type\bridge", populated with two members:
member1: igb1
member2: igb2
would be the only viable solution. And this is where I am actually stuck: I administer the router via HTTP (its IP 10.0.0.1, assigned to igb1) from a PC. I somehow figured out, that the LAN address 10.0.0.1 should be migrated from the physical interface called "igb" to the newly created virtual interface called "bridge0". But doing it from the network in-band sounds a very risky procedure, as any mistake or incorrect sequence of steps done can lock me out of the box in a millisecond. Perform this whole LAN bridging config via out-of-band (serial connection) sounds more reasonable.
And this is where I stuck: all I could find was this thread in the forum, the opnsense GUI or the WIKI is 0.00% helpful in this topic. After reading this Step1-5 procedure, I believe some steps in the middle are either missing, or not explained in greater details. But for me it results loss of access to the router, and have to roll-back interface assignment: LAN --> igb1 to get access to the router again (thanks god I have a serial, and the router is in physical proximity).
Somebody with some spare time could maybe copy-paste the entire text from step1-5, and extend with some more verbose details, like which interface(s) owns the LAN mgmt IP at what step, which physical interface (igb1,2) is member of what group (bridge or solo or unassigned?) during the procedure, which step requires mandatory config apply, router reboot, which menu item in the GUI should be used to perform the step, etc. etc. etc.?
-
https://github.com/opnsense/docs/blob/77fd7b8b7a844092fbff832f28a1f26574a23d65/source/manual/how-tos/lan_bridge.rst (https://github.com/opnsense/docs/blob/77fd7b8b7a844092fbff832f28a1f26574a23d65/source/manual/how-tos/lan_bridge.rst)
-
Hmm, looks like the lan_bridge.rst file is not hooked up to a parent page so it's not showing up on https://docs.opnsense.org/
Cheers,
Franco
-
https://github.com/opnsense/docs/blob/77fd7b8b7a844092fbff832f28a1f26574a23d65/source/manual/how-tos/lan_bridge.rst (https://github.com/opnsense/docs/blob/77fd7b8b7a844092fbff832f28a1f26574a23d65/source/manual/how-tos/lan_bridge.rst)
Thanks, this worked!
If I have some extra lines to extend here and there, could I send to you for importing into the docs?
-
Hmm, looks like the lan_bridge.rst file is not hooked up to a parent page so it's not showing up on https://docs.opnsense.org/
Cheers,
Franco
Indeed! This topic cant be located on the docs page.
-
Why, you followed it and it worked. :)
-
Hmm, not the most customer-centric approach :o
Let me explain:
- the 2 tunables are not described at all, what do these change in practicality? What happens in this network topology, if neither of them is changed from their defaults?
- what exact scenario this howto is supposed to solve, is quite unclear. Same as the transparent filtering bridge howto, that tries to accomplish a different type of network architecture, but also not described very precisely (at least a drawing showing the Layer2 / Layer3 would help understanding how that topology should work). It assumes the person reading the howto has the networking knowledge comparable to a CCNP. At least the following introduction should be added in this example:
----------------------------
By default, Opnsense interfaces are configured as Layer-3 interface. That means each physical interface segments the network into different broadcast domains, all using its unique L3 IP addressing scheme. However, if there is a specific need, it is possible to configure some physical interfaces into a Layer-2 mode, similar to L2 switchports, thanks to the virtual software-based interface type "bridge". Members of such bridge interface group behave like ports of a standard L2 switch in the same broadcast domain. This topology is recommended only in the following cases:
- if there is no standalone L2 switch in the network, while Opnsense box has plenty of available physical interfaces, and the number of connecting endpoints is minimal, or
- if the corresponding L2/L3 switch lacks any available ports.
Performance note: in contrast with a true L2 switch -where packet forwarding is done at hardware ASIC level without stressing the switch main CPU- a virtual software-based bridge sends all traffic of bridge member interfaces through the Opnsense CPU. This is true, regardless if the traffic is between two endpoints where the Opnsense box is normally not involved. As a result, even traffic that should normally not be processed or seen by Opnsense itself, still puts significant processing load on its CPU, and reduces the available resources to handle normal workloads.
---------------------
How does this sound?
-
99% of that is irrelevant to most users, they do not care about layer 2, layer 3 or the layers of a cake, they just want it to work with simple straight forward instructions, that's a how-to... not a why's and wherefore and a discussion on networking principles.
However there is nothing preventing you from writing in depth explanations if you feel the need and presenting them for inclusion in the wiki; frankly I don't have time to spare at the moment.
-
99% of that is irrelevant to most users, they do not care about layer 2, layer 3 or the layers of a cake, they just want it to work with simple straight forward instructions, that's a how-to... not a why's and wherefore and a discussion on networking principles.
However there is nothing preventing you from writing in depth explanations if you feel the need and presenting them for inclusion in the wiki; frankly I don't have time to spare at the moment.
As I have already typed the text here, would not be impossible to make it part of the wiki :-)
-
Stop giving me work... I have enough to do. :)
-
You misunderstand me, I wanted to add this myself, as soon as I get to know how exactly this works.
-
Create a Github account.
Fork the Opnsense repo, in this case 'docs' to your own account.
If you are using windows it's very easy, you install github desktop and then in your repo you clone the repo selecting 'Open in Desktop', that brings a copy to your PC. You then create a branch for your changes, make the changes and commit, push the branch to your Github repo and then back in Github you go to your commit and issue a Pull Request.
Franco or Ad then look at it and ask you to make changes. 8)
-
Sounds reasonable/doable. My 1st github experience.
-
Answering the OP's question:
To bridge 2 NICs you have to define an interface for each NIC, for example NIC2 and NIC3.
สมัครสมาชิก12BET (https://leadershipandselfdevelopment.com/12bet/)
I found that you can have mixes of IP v4 configurations: NIC2 with a fixed address and NIC3 with "None", or both NICs with a fixed address.
As Franco warned, when you assign a fixed address to both, you can also tell DHCP to listen to both interfaces and it can issue leases on both interfaces.
However... here I was surprised... it only reports the leases on ONE of the interfaces.
-
This is true, regardless if the traffic is between two endpoints where the Opnsense box is normally not involved.
Hello, I am relatively new to all this. What is a situation where traffic between two endpoints does not involve opnsense? Don't the firewall rules at minimum always have to be verified? Excuse me if this is a dumb question.
-
In this 'bridge' context, all clients are on the same LAN segment, this traffic between two clients say 192.168.1.10 and 192.168.1.11 would go point to point. For example if the clients were connected directly, one to each of the bridge ports, then although the traffic would pass through the opensense router NICs, no firewall rules would be in play as they are both on the same LAN, it's effectivelly the same as if they were connected by a simple switch, one port to each of the clients and one port to opensense.
-
Success. For anyone interested I found some directions and they worked perfectly. This post is coming from a bridged 10G X2 plus 1G LAN network.
Credist go to https://forum.pfsense.org/index.php?topic=48947.0
This is the instructions and are designed for pfSense but work with a few differences in spots of where the tunables are etc.
1. Assign your additional interfaces and enable them with type 'none'. They will come up as OPT1, OPT2 etc.
2. Switch bridge filtering from the bridge members onto the bridge itself (assuming you don't need to apply firewall rules between devices on the bridge/switch). Go to System: Advanced: System Tunables: and edit the two values.
Change net.link.bridge.pfil_member to 0.
Change net.link.bridge.pfil_bridge to 1.
Apply these changes.
3. Now create a bridge in Interfaces: (assign): Bridges: and add to it the additional interfaces you just created, you can select multiple interfaces by holding Ctrl. I named the bridge 'Switch Configuration' to remind me how I have configured it.
4. Now go to Interfaces: (assign) and change the LAN assignment to bridge0. Save and reconnect your ethernet cable to one of the bridge interfaces. It should come back up, however you will want to make sure you have console access before you do this as if you've done something different you could end up locked out! ;)
5. Assign the interface that was originally assigned to LAN and enable it with type 'none'. Add it to bridge0 to include it in the 'switch'.
After step 3/4 are done REBOOT. The bridge should be working.
I love you...I know this may be necrod but this solved my issue. I've been pulling my hair out trying to figure out why wifi worked but ethernet didn't. I have an ap connected to my homebrew 'bridge switch'. Changing the two settings in tunables fixed this for me.
-
This is exactly what is in the OPNsense documentstion, so really, what's the fuzz about?
https://docs.opnsense.org/manual/how-tos/lan_bridge.html