5

Hardware Setup

  • AMD E1-2100 Mini-ITX Motherboard with Onboard Gigabit (re0)
  • Intel PCI Express (x4) 4-port Gigabit Adapter (igb[0123])

Software Setup

  • pfSense v2.3

I'm trying to replicate my OpenWRT router, which is setup as a simple router + VLAN 2 => different isolated subnet for various WiFi things I don't trust. My WiFi bridges run two different SSID's, one of which tags traffic VLAN 2. I successfully added igb[0123] as separate interfaces and combined them into BRIDGE0. I assigned an IP 10.0.1.1 to the BRIDGE0 interface, enabled DHCP, and can successfully use my box as a simple router.

However, when I combine four new virtual interfaces of VLAN 2 (w/ parent interfaces igb[0123] into a single BRIDGE1 (IP 10.0.2.1), my VLAN 2 interface on my hardwired MacOS X box gets IP 10.0.2.20 via DHCP but fails to route anything. In other words, I cannot ping across the WAN or even 10.0.2.1. I created a new Firewall rule on BRIDGE1 to pass all IPV4 traffic. Per the pfSense docs, I also set some system tunables.

When I set IP 10.0.2.1 to the VLAN2 interface of the hardwired port that I happened to be plugged into, enable DHCP for that specific interface, and generally follow all the same steps for the specific VLAN'd port, I can ping across the WAN and 10.0.2.1.

I think the issue is isolated to BRIDGE1 being composed VLAN2 virtual interfaces for each physical port.

  • Is what I'm doing possible?
  • If it's possible, what am I doing wrong?
  • Is there a better way to do this? My goal is to isolate weird, potentially malicious IoT devices, but I'm open to other ideas on network topology/setup.
Community
  • 1
sl33nyc
  • 51
  • 1
  • 2

1 Answers1

0

Use two VLANS - One for your normal network, and one for your protected one.

VLAN1 = BRIDGE0 = 10.0.1.1/24

VLAN2 = BRIDGE1 = 10.0.2.1/24

oisteink
  • 1
  • this doesn't really answer the question - i am having the same issue. the situation is: 4 ports on pfsense, 1 is WAN, 3 should be "trunk" ports for two different switches and an AP. all three devices have different VLANs (untagged, 10 and 11), and all three VLANs should be available on all three ports of the pfsense. i guess that's quite similar to the OP. is this possible? i have igb[1,2,3] in br0 and igb[1.10,2.10,3.10] on br1 ... pfsense let's me build this just fine ... but it doesn't work ... maybe some STP stuff? – rmalchow Feb 17 '18 at 10:40
  • same situation as rmalchow does anyone have a suggestion? – Tjunkie Jun 13 '20 at 01:24
  • I dont think you can use the underlaying interface and the vlan that goes through it at the same time. The port needs to be either tagged or untagged, both doesnt really make sense. To make vlan on igb2, you need to stop using igb2, but keep the interface enabled. So remove dhcp, ip adress on igb2, remove igb2 from any and all bridges. Create igb2.vlan10 igb2.vlan12, and use them as a new bases for any bridges you want. – misiu_mp Jun 16 '22 at 21:35