Table of Contents
PFSense - Network - Configure Bridge over multiple NICs as LAN
A bridge interface creates a logical link between two or more Ethernet interfaces or encapsulation interfaces.
This link between the interfaces selectively forwards frames from each interface on the bridge to every other interface on the bridge.
A bridge can serve several services, including isolation of traffic between sets of machines so that traffic local to one set of machines is not available on the wire of another set of machines, and it can act as a transparent filter for IP datagrams.
This will work at layer 2 broadcast/collision domain.
The basic idea is:
- Assign and Enable additional NICs
- Create Bridge Interface
- Assign Bridge Interface an IP Address
- Create Interface Group
- Add Firewall Rule
- Add DHCP Server on the Bridge
- Remove IP address from EM1
Assign and Enable additional NICs
Enable all the NICs you have and want included in the local LAN Bridge.
In pfSense, navigate to Interfaces → Assignments
Enable interfaces needed for the bridge
For each interface assigned, navigate to that interface via the Interfaces → Assignments menu item, and ensure it is Enabled and that it has None specified as the IPv4 and IPv6 address.
NOTE: Your interface names may be slightly different (e.g. LAN, OPT1, OPT2).
Create Bridge Interface
Create a virtual bridge interface across all of the NICs you want included in the bridge.
Use the menu Interfaces → Assignments → Bridges.
Use the Add + button to add a bridge and select all interfaces you want as part of the bridge, but do not include the WAN interface.
Assign an IP address to the bridge
Assign an IP address (IPv4, minimally) to the bridge via the Interfaces → BR0 menu.
WARNING: Assigned Bridge MAC Addresses and Windows.
The MAC address for a bridge is determined randomly when the bridge is created, either at boot time or when a new bridge is created.
That means that on each reboot, the MAC address can change.
In many cases this does not matter, but Windows Vista, 7, 8, and 10 use the MAC address of the gateway to determine if they are on a specific network.
If the MAC changes, the network identity will change and its status as public, private, etc. may need to be corrected.
To work around this, enter a MAC address on the assigned bridge interface to spoof it.
Then clients will always see the same MAC for the gateway IP address.
Create Interface Group
Create an interface group including all NICs and the bridge interface.
This will be used for LAN firewall rules.
Use the menu Interfaces → Assignments → Interface Groups.
Use the Add + button to add the group and select all interfaces you want as part of the bridge group, including the bridge itself, but do not include the WAN interface.
Add Firewall Rule
Add a firewall rule to allow traffic to flow amongst the interfaces of the interface group, as a single, unconstrained LAN.
Select Firewall → Rules → Bridge and add a rule like this
Action: Pass Interface: Bridge Address Family: IPv4+IPv6 Protocol: Any Source: Any Destination: Any
Add DHCP Server on the Bridge
Assuming you want to run a DHCP server on your local LAN, configure the DHCP server on the Bridge interface via the menu item Services → DHCP Server → BR0.
Enable DHCP server on BR0 interface. Range: 192.168.1.100 to 192.168.1.199.
Remove IP address from EM1
Finally, as cleanup, you should remove the IP address from LAN.
You may need to disable the DHCP server on that interface first.
Select Interfaces → Assignments → LAN.
Set IPv4 and IPv6 Configuration Type to None.
At this point you should have a fully functional, local area network bridge across all your interfaces.