Bridging and Interfaces

A bridge interface (e.g. bridge0) itself may be assigned as interface. This allows the bridge to act as a normal interface and have an IP address placed upon it rather than a member interface.

Configuring the IP address on the bridge itself is best in nearly all cases. The main reason for this is due to the fact that bridges are dependent on the state of the interface upon which the IP address is assigned. If the IP address for the bridge is configured on a member interface and that interface is down, the whole bridge will be down and no longer passing traffic. The most common case for this is a wireless interface bridged to an Ethernet LAN NIC. If the LAN NIC is unplugged, the wireless would be dead unless the IP address was configured on the bridge interface and not LAN. Another reason is that if limiters must be used for controlling traffic, then there must be an IP address on the bridge interface for them to work properly. Likewise, in order for Captive Portal or a transparent proxy to function on an internal bridge the IP address must be configured on the assigned bridge and not a member interface.

Swapping Interface Assignments

Before getting too far into talking about moving around bridge interface assignments, it must be noted that these changes should be made from a port that is not involved in the bridge. For example, if bridging WLAN to LAN, make the change from WAN or another OPT port. Alternately, download a backup of config.xml and manually make the changes. Attempting to make changes to a port while managing the firewall from that port will most likely result loss of access to the GUI, leaving the firewall unreachable.

Easy Method: Move settings to the new interface

The easiest, though not the quickest, path in the GUI is to remove the settings from the LAN interface individually (IP address, DHCP, etc) and then activate them on the newly assigned bridge interface.

Quick but Tricky: Reassign the Bridge as LAN

Though this method is a bit trickier than moving the settings, it can be much faster especially in cases where there are lots of firewall rules on LAN or a complex DHCP configuration. In this method, some hoop-jumping is required but ultimately the bridge ends up as the LAN interface, and it retains the LAN IP address, all of the former firewall rules, DHCP, and other interface configuration.

  • Assign and configure the bridge members that have not yet been handled. Review the steps below to ensure the interface settings are correct even if the interfaces have already been assigned and configured.
    • Navigate to Interfaces > (assign)
    • Choose the interface from the Available network ports list
    • Click Add
    • Navigate to the new interface configuration page, e.g. Interfaces > OPT2
    • Check Enable
    • Enter a Description such as WiredLAN2
    • Set both IPv4 Configuration Type and IPv6 Configuration Type to None
    • Uncheck both Block private networks and Block bogon networks if checked
    • Click Save
    • Click Apply Changes
    • Repeat for additional unassigned future bridge members
  • Create the new bridge
    • Navigate to Interfaces > (assign) on the Bridges tab
    • Click Add to create a new bridge
    • Enter a Description, such as LAN Bridge
    • Select all of the new bridge members EXCEPT the LAN interface in the Member interfaces list
    • Click Save
  • Change the bridge filtering System Tunable to disable member interface filtering
    • Navigate to System > Advanced, System Tunables tab
    • Locate the entry for net.link.bridge.pfil_member or create a new entry if one does not exist, using that name for the Tunable
    • Click fa-pencil to edit an existing entry
    • Enter 0 in the Value field
    • Click Save
  • Navigate to Interfaces > (assign)
  • Change the assignment of LAN to bridge0
  • Click Save
  • Assign and configure the old LAN interface as described previously, setting its IP configuration types to None and naming it WiredLAN
  • Edit the bridge and select the newly assigned WiredLAN as a bridge member
  • Change the bridge filtering System Tunable to enable bridge interface filtering
    • Use the procedure described previously, but set net.link.bridge.pfil_bridge to 1

Now the former LAN interface, along with the new bridge members, are all on a common layer 2 with the bridge assigned as LAN along with the other configuration.

Quickest but Most Difficult: Hand Edit config.xml

Hand editing config.xml can be very fast for those familiar with the configuration format in XML. This method is easy to get wrong, however, so be sure to have backups and install media nearby in case a mistake is made.

When hand editing config.xml to accomplish this task, do as follows:

  • Assign the additional bridge members and set their IP configuration types to None
  • Create the bridge, including LAN and LAN2 and other bridge members
  • Assign the bridge (e.g. as OPT2) and enable it, also with an IP configuration type of None
  • Download a backup of config.xml from Diagnostics > Backup/Restore
  • Open config.xml in a text editor that understands UNIX line endings
  • Change the LAN assignment to bridge0
  • Change the former LAN assignment to what used to be the bridge (e.g. OPT2)
  • Edit the bridge definition to refer to OPT2 and not LAN
  • Save the changes
  • Restore the edited config.xml from Diagnostics > Backup/Restore

The firewall will reboot with the desired setup. Monitor the console to ensure the settings were applied correctly and no errors are encountered during the boot sequence.

Assigned Bridge MAC Addresses and Windows

The MAC address for a bridge is determined randomly when the bridge is created, either at boot time or when a new bridge is created. That means that on each reboot, the MAC address can change. In many cases this does not matter, but Windows Vista, 7, 8, and 10 use the MAC address of the gateway to determine if they are on a specific network. If the MAC changes, the network identity will change and its status as public, private, etc. may need to be corrected. To work around this, enter a MAC address on the assigned bridge interface to spoof it. Then clients will always see the same MAC for the gateway IP address.