Pfsense, bridged vlans, and access between the bridged interfaces

I’ve searched exhaustively for a solution for this situation, and can’t find a clear answer (either in these forums or the wider internet) - here’s my use case:

I have 2 separate vlans - 1 wired (PRIVLAN) and 1 wireless (PRIVWIFI) - which have both been working well separately, however I have decided to bridge them (for many reasons, and the need to have UPNP / DLNA working between them has forced my hand).

I have created a bridge (PRIVBRIDGE), added the two interfaces to it, merged across all of the rules & DHCP reservations onto PRIVBRIDGE, and disabled everything on PRIVLAN & PRIVWIFI. Devices connected to PRIVLAN and PRIVWIFI are all now behaving as though they were connecting to the single interface PRIVBRIDGE & grabbing IP addresses from the same pool. The vlans are also acting as expected.

The devices on PRIVBRIDGE can connect to everything they need to (i.e. WAN, DMZ, etc.), but devices on PRIVLAN cannot see devices on PRIVWIFI and vice versa - not even pinging is successful. In an attempt to resolve this, I’ve gone back into PRIVLAN & PRIVWIFI’s firewall rules and added an IP4 (any protocol) rule to each, with it’s own interface name as the source (i.e. PRIVLANnet), and “any” as the destination. I’ve also added another 2 corresponding rules on PRIVBRIDGE, with PRIVLANnet and PRIVWIFInet as the destinations. This has had no effect, and I’ve made sure to move these rules to the top of the ruleset to be sure they’re unaffected by any other rules.

The logs do show traffic attempts being blocked from both PRIVLAN and PRIVWIFI, however the rule isn’t named, the entries’ rule just comes up with a number in brackets, similar to what you see in other entries, although they also contain the rule description. AFAIK all of my firewall rules contain descriptions (verified visually), so I would have thought I would have seen which rule is blocking the traffic.

My questions are these:

  • Without knowing how the rest of my environment is configured, should what I’ve described above be allowing traffic between the two bridged interfaces?
  • In the Firewall Log, is it possible to use the entries’ rule number (which I’m guessing is an ID of some kind) to identify which rule is blocking the traffic?

Any assistance / advice would be helpful, thanks in advance :slight_smile:

The better way to configure this is not to use the bridge in pfsense but instead use a switch to get the devices connected. It has been my experience in the past that the bridging ports in pfsense can be buggy.

Thanks for the insight @LTS_Tom - I was hoping I wouldn’t have to make it a topography change for this, but it certainly makes the most amount of sense.

I’m reviving this thread hoping I can get some guidance from this much more friendly crowd here . I want to avoid using a physical switch for the VMs .and I’ve ran into an impasse.

I have researched extensively for a solution, and yet I am close to completely giving up on finding a way to enable communication across member interfaces on a pfSense bridge so I’m reaching out to anyone for help.

All I am looking to achieve is to have my Proxmox VMs and my physical wired hosts behave as if they were on the same physical network.

Here is my setup:

  • Proxmox as VM host (on bare metal)

  • Proxmox has a Linux Bridge (vmbr1) on which:

    • VMs are attached
    • pfSense VM is attached
  • PfSense as VM on Proxmox:

    • Two physical ethernet interfaces passed through as PCI to pfSense:
      • igb0 - LAN
      • igb1 - WAN
    • pfSense VM is attached to vmbr1, and vmbr1 being presented to pfSense as an OPT interface (PVE_VMBR1)
    • LAN port plugged in hardware switch
    • WAN port plugged in ISP, receiving WAN address via DHCP
    • A Wireguard tunnel (WG_IVPN) to a VPN provider behind which all hosts sit, with the exception of some that are defined in an Alias list (VPN_Bypass_Hosts)

On pfSense I have bridged LAN and PVE_VMBR1 to form a new bridge interface (BR_LAN_PVE_VMBR1

  • Neither LAN nor PVE_VMBR1 have any static IPs configured – DHCP is configured on the bridge interface
  • System tunables are set for filtering to happen on the BR_LAN_PVE_VMBR1 interface and not on the member interfaces
  • Every host routes out to the internet the way it should – through the VPN gateway, and with the hosts in the alias being routed from the regular WAN gateway.
  • Every host receives a DHCP lease
  • Hosts on PVE_VMBR1 can ping each other
  • Hosts on LAN can ping each other

rough (terrible) depiction of the network:

HOWEVER, hosts on the LAN interface of the bridge cannot communicate with hosts on the PVE_VMBR1 interface and vice versa.

Obviously, some specific firewall rules are necessary for this to happen, but nothing I've tried has achieved this.

Firewall rules on pfsense bridge:

Things I've tried, to no avail:
  1. setting allow any-to-any firewall rules on member interfaces (although the filtering is done at the bridge interface level)
  2. Setting “LAN net” -to- “PVE_VMBR1 net” and vice-versa allow rules on the bridge interface (did not work as neither LAN nor PVE_VMBR1 have any subnets configured. Everything is on the same pool)
  3. obviously every VM at the Proxmox level has firewall turned off

So, kindly asking for help here on which rules should go where!

Many thanks in advance!

PS: I know the above topology is not the best practice, but for now I need to allow communication between VMs on Proxmox and physical wired hosts on LAN. Please let’s not get into a conversation of how the setup should ideally be configured.

I think I have solved the issue (VMs can now ping physical hosts and vice versa) by doing the following:

  • Created an alias with the IPs of the VMs
  • Added two pass rules on the bridge interface (BR_LAN_PVE_VMBR1) as follows:
    • BR_LAN_PVE_VMBR1 net → VM Hosts IPs (alias)
    • VM Hosts IPs (alias) → BR_LAN_PVE_VMBR1

Thoughts? Any risks (security or performance) with this setup?