User Tools

Site Tools


pfsense:network:configure_bridge_over_multiple_nics_as_lan

PFSense - Network - Configure Bridge over multiple NICs as LAN

A bridge interface creates a logical link between two or more Ethernet interfaces or encapsulation interfaces.

This link between the interfaces selectively forwards frames from each interface on the bridge to every other interface on the bridge.

A bridge can serve several services, including isolation of traffic between sets of machines so that traffic local to one set of machines is not available on the wire of another set of machines, and it can act as a transparent filter for IP datagrams.

This will work at layer 2 broadcast/collision domain.

The basic idea is:

  • Assign and Enable additional NICs
  • Create Bridge Interface
  • Assign Bridge Interface an IP Address
  • Create Interface Group
  • Add Firewall Rule
  • Add DHCP Server on the Bridge
  • Remove IP address from EM1

Assign and Enable additional NICs

Enable all the NICs you have and want included in the local LAN Bridge.

In pfSense, navigate to Interfaces → Assignments


Enable interfaces needed for the bridge

For each interface assigned, navigate to that interface via the Interfaces → Assignments menu item, and ensure it is Enabled and that it has None specified as the IPv4 and IPv6 address.

NOTE: Your interface names may be slightly different (e.g. LAN, OPT1, OPT2).


Create Bridge Interface

Create a virtual bridge interface across all of the NICs you want included in the bridge.

Use the menu Interfaces → Assignments → Bridges.

Use the Add + button to add a bridge and select all interfaces you want as part of the bridge, but do not include the WAN interface.


Assign an IP address to the bridge

Assign an IP address (IPv4, minimally) to the bridge via the Interfaces → BR0 menu.

WARNING: Assigned Bridge MAC Addresses and Windows.

The MAC address for a bridge is determined randomly when the bridge is created, either at boot time or when a new bridge is created.

That means that on each reboot, the MAC address can change.

In many cases this does not matter, but Windows Vista, 7, 8, and 10 use the MAC address of the gateway to determine if they are on a specific network.

If the MAC changes, the network identity will change and its status as public, private, etc. may need to be corrected.

To work around this, enter a MAC address on the assigned bridge interface to spoof it.

Then clients will always see the same MAC for the gateway IP address.


Create Interface Group

Create an interface group including all NICs and the bridge interface.

This will be used for LAN firewall rules.

Use the menu Interfaces → Assignments → Interface Groups.

Use the Add + button to add the group and select all interfaces you want as part of the bridge group, including the bridge itself, but do not include the WAN interface.


Add Firewall Rule

Add a firewall rule to allow traffic to flow amongst the interfaces of the interface group, as a single, unconstrained LAN.

Select Firewall → Rules → Bridge and add a rule like this

Action: Pass
Interface: Bridge
Address Family: IPv4+IPv6
Protocol: Any

Source: Any
Destination: Any

Add DHCP Server on the Bridge

Assuming you want to run a DHCP server on your local LAN, configure the DHCP server on the Bridge interface via the menu item Services → DHCP Server → BR0.

Enable DHCP server on BR0 interface.
Range: 192.168.1.100 to 192.168.1.199.

Remove IP address from EM1

Finally, as cleanup, you should remove the IP address from LAN.

You may need to disable the DHCP server on that interface first.

Select Interfaces → Assignments → LAN.

Set IPv4 and IPv6 Configuration Type to None.


At this point you should have a fully functional, local area network bridge across all your interfaces.


pfsense/network/configure_bridge_over_multiple_nics_as_lan.txt · Last modified: 2021/01/06 09:34 by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki