LAN ports bridge (why and why)

[pickone]

Hi!

I am trying to learn more of this opnsense and I got into an issue, in fact, it is not an issue, it is more a question about why that and not that. I just installed opnsense for the first time, yesterday, so please, don't take me hard

I have a minipc with 6 ports (1 for wan, 5 as lan) and I want to use it as a standard router (1 wan port and the other 5 LANs as bridge)

Looking on the internet, everyone say that the proper way to do this, is to assign and enable all the interfaces, then go and create the bridge with all the opts lans except the "LAN" port, then change the LAN interface port to BRDIGE and so on...  But why is this? What is the difference between making this and doing it like I done?

What I done and it is working, I assigned and enabled all the interfaces, I created the bridge with all the interfaces (including the LAN interface), without changing the LAN interface port to BRIDGE, it is working well. Every port have connection.

So... what's the catch?

Thank you in advance.

[Patrick M. Hausen]

This configuration is violating the documented architecture of the FreeBSD bridge. Resulting problem is that it breaks multicast, so applications using that won't work and IPv6 won't work at all.

A member interface of a bridge in FreeBSD must not have an IP address. The IP address must go on the bridge interface.

[pickone]

I understand.

I was thinking that my configuration will be easier in the future, when maybe I want to get rid of the bridge and use all the ports separately. Not switching the ports everytime, and so on... and then the identifier which is not matching the name I want...

[dsduarte]

You will have problems with that config if you decide to do VLAN's...
When I activated my OPNsense on a 4x2.5Gbps ports mini PC I expeceted to assign 1 port to WAN and 3 ports on bridge with VLAN's.
That's another limitation, which I know that exists but I do not know fore sure why!

[Patrick M. Hausen]

Because that's how it's implemented in FreeBSD.

[pickone]

Because that's how it's implemented in FreeBSD.

Not very "user friendly" if you ask me  ;D

Changing, switching, so many actions for just a silly bridge  :(

[Patrick M. Hausen]

Get a managed switch and build a router on a stick. FreeBSD is not a switch, but a sufficiently powerful and reliable router.

[netnut]

What I done and it is working, I assigned and enabled all the interfaces, I created the bridge with all the interfaces (including the LAN interface), without changing the LAN interface port to BRIDGE, it is working well. Every port have connection.

So... what's the catch?

So you configured a Bridge with LAN, OPT1/2/3/4 ?

Question: The LAN interface by default was/is 192.168.1.1, which interface is assigned with this address (or if you changed it from default, the changed one) still on your LAN interface or on the new Bridge device ?

[pickone]

What I done and it is working, I assigned and enabled all the interfaces, I created the bridge with all the interfaces (including the LAN interface), without changing the LAN interface port to BRIDGE, it is working well. Every port have connection.

So... what's the catch?

So you configured a Bridge with LAN, OPT1/2/3/4 ?

Question: The LAN interface by default was/is 192.168.1.1, which interface is assigned with this address (or if you changed it from default, the changed one) still on your LAN interface or on the new Bridge device ?

Yes, I have configured all as Bridge
192.168.1.1 default for LAN interface

I have not touched anything on the Bridge part, I only added the interfaces as bridge, in the bridge setting. I selected all the interfaces, except WAN

[netnut]

Yes, I have configured all as Bridge
192.168.1.1 default for LAN interface

I have not touched anything on the Bridge part, I only added the interfaces as bridge, in the bridge setting. I selected all the interfaces, except WAN

Ok, so you might want to dive a little bit deeper in the differences between Layer 2 & Layer 3 in networking

Not very "user friendly" if you ask me  ;D

Changing, switching, so many actions for just a silly bridge  :(

It will explain why it has nothing to do with "User Friendliness" or "Silly" bridges but with default Ethernet behaviour.

[pickone]

As a start, I just wanted to know what is the difference between those two cases:

1. Only adding interfaces into the Bridge Setting (thats it) only selecting interfaces there.
2. Making all the other actions, with the finished setting where I change the LAN to Bridge and create another interface for first lan port.

The result as practical use, I don't see any difference, because in any case, I can access the other LAN ports, as being a swtch. But I don't know what's the problem in the back.

[netnut]

The result as practical use, I don't see any difference, because in any case, I can access the other LAN ports, as being a swtch. But I don't know what's the problem in the back.

Because the Bridge will be part of a "greater" thing, your OPNsense firewall. And instead of following a random Internet guide, the only thing you need is https://docs.opnsense.org/manual/how-tos/lan_bridge.html and mind the tunables in Step Six (very important).

Your Bridge interface is now the Layer 3 interface with the assigned members as Layer 2 devices. From a networking perspective the whole thing now behaves as it should and routing and firewalling with OPNsense is now all controlled by the Layer 3 Bridge device (as it should).

The other thing: By default all management (webgui/ssh) in OPNsense is provided by the LAN interface, including some lockout rules. When one creates a Bridge the right way (see point above) and the LAN interface becomes a member of this new Bridge, it's basically converted from a Layer 3 to a Layer 2 device. You would not the first one who now posts a new topic in this forum "Why can't I access my OPNsense management (webgui/ssh)".