Pfsense, bridged vlans, and access between the bridged interfaces

I’ve searched exhaustively for a solution for this situation, and can’t find a clear answer (either in these forums or the wider internet) - here’s my use case:

I have 2 separate vlans - 1 wired (PRIVLAN) and 1 wireless (PRIVWIFI) - which have both been working well separately, however I have decided to bridge them (for many reasons, and the need to have UPNP / DLNA working between them has forced my hand).

I have created a bridge (PRIVBRIDGE), added the two interfaces to it, merged across all of the rules & DHCP reservations onto PRIVBRIDGE, and disabled everything on PRIVLAN & PRIVWIFI. Devices connected to PRIVLAN and PRIVWIFI are all now behaving as though they were connecting to the single interface PRIVBRIDGE & grabbing IP addresses from the same pool. The vlans are also acting as expected.

The devices on PRIVBRIDGE can connect to everything they need to (i.e. WAN, DMZ, etc.), but devices on PRIVLAN cannot see devices on PRIVWIFI and vice versa - not even pinging is successful. In an attempt to resolve this, I’ve gone back into PRIVLAN & PRIVWIFI’s firewall rules and added an IP4 (any protocol) rule to each, with it’s own interface name as the source (i.e. PRIVLANnet), and “any” as the destination. I’ve also added another 2 corresponding rules on PRIVBRIDGE, with PRIVLANnet and PRIVWIFInet as the destinations. This has had no effect, and I’ve made sure to move these rules to the top of the ruleset to be sure they’re unaffected by any other rules.

The logs do show traffic attempts being blocked from both PRIVLAN and PRIVWIFI, however the rule isn’t named, the entries’ rule just comes up with a number in brackets, similar to what you see in other entries, although they also contain the rule description. AFAIK all of my firewall rules contain descriptions (verified visually), so I would have thought I would have seen which rule is blocking the traffic.

My questions are these:

  • Without knowing how the rest of my environment is configured, should what I’ve described above be allowing traffic between the two bridged interfaces?
  • In the Firewall Log, is it possible to use the entries’ rule number (which I’m guessing is an ID of some kind) to identify which rule is blocking the traffic?

Any assistance / advice would be helpful, thanks in advance :slight_smile:

The better way to configure this is not to use the bridge in pfsense but instead use a switch to get the devices connected. It has been my experience in the past that the bridging ports in pfsense can be buggy.

Thanks for the insight @LTS_Tom - I was hoping I wouldn’t have to make it a topography change for this, but it certainly makes the most amount of sense.