You can bridge interfaces in pfSense by navigating to Interfaces | (assign) and clicking on the Bridges tab. On this tab, there is a table displaying all the configured bridges. To add a new bridge, click on the Add button under the table.
On the Bridge Edit page, you need to select at least two interfaces (you can bridge more than two interfaces); you can select them in the Member Interfaces listbox. The interfaces selected are the ones that will be bridged. You may also enter a brief description in the Description field.
Clicking on the Display Advanced button reveals a number of advanced options you can configure. The Cache size field is where you can set the size of the bridge address cache; the default size is 2000 entries. The Cache expire time field is where you can set the timeout, in seconds, of address cache entries, but the cache entries will not expire if you set this field to zero. The default Cache expire time is 1200 seconds.
Next is the Span Port listbox; setting an interface as a span port means that it will transmit every frame received by the bridge. This can be useful if you need to monitor bridge traffic. The interface designated as a span port cannot be any of the bridge interfaces.
There is an Edge Ports listbox. An edge port is a port that is only connected to one bridge and therefore cannot create bridging loops on the network and can transition directly to the forwarding state. The Auto Edge Ports listbox allows you to select interfaces that will automatically detect edge status; this is the default for bridge interfaces.
If you select interfaces in the PTP Ports listbox, these interfaces will be designated as point-to-point links. The Auto PTP Ports listbox will cause pfSense to automatically detect the point-to-point status. It does this by checking the full duplex link status of the interface.
The Sticky Ports listbox allows you to select interfaces that will be marked as sticky. Interfaces that are marked as such will have dynamically learned address entries marked as static once they enter the cache. Such entries will never be aged out of the cache or replaced. This is so even if the learned address is seen on another interface. The Private Ports listbox allows you to set selected interfaces as private; these interfaces will not forward traffic to any other interface that is also set as private.
You will need to choose a spanning tree protocol for your bridge, and pfSense gives you two options:
- STP: This is the original Spanning Tree Protocol. It creates a spanning tree within a network of bridges, disabling links that are not part of the tree and leaving a single path between any of the two bridges. The protocol was standardized as 802.1D. STP is not particularly fast, and it can take up to a minute for this protocol to respond to a topology change on the network.
- Rapid Spanning Tree Protocol (RSTP): This protocol reduces the convergence time for responding to a topology change to mere seconds, but it is more complex than STP. The original STP protocol had three port designations, namely, root, designated, and disabled. RSTP adds two more port designations – alternate, which represents an alternate path to the bridge, and backup, which is a backup or redundant path to a segment. Switch port states have three designations, namely, discarding, learning, and forwarding. The protocol was standardized by 802.1W.
The STP options can be found by scrolling down to the RSTP/STP section. There is an Enable RSTP/STP checkbox, which allows you to enable these protocols. You can select either RSTP or STP in the Protocols drop-down box. The STP Interfaces listbox is where you can choose the interfaces on which either RSTP or STP is enabled. The next two options are the Valid Time field and Forward time field.
The Valid time field specifies how long a spanning tree will be valid, while the Forward time field specifies the delay for forwarding packets. The default for Valid time is 20 seconds, and the default for Forward time is 30 seconds. The Hello Time edit box is where you can enter the time between broadcasting STP configuration messages. This only takes effect if STP mode is invoked. In the Priority edit box, you can enter the bridge priority, and in the Hold count edit box, you can enter the number of packets that will be sent before rate limiting is invoked.
There is one last series of edit boxes, and in these boxes you can set the spanning tree priority for each of the interfaces. The priorities can be set anywhere from 0 to 240, in increments of 16. The default priority is 128. It is also possible to set the path cost for each interface; it can be set from anything to 1 to 200000000. By default, the path cost is calculated from the link speed, and you can change it back to the default behavior by setting it to 0. When you are done, click on Save, and then click on the Apply Changes button.
There are two additional tasks we must address before bridge configuration is complete. You need to disable DHCP on the bridged interface. To do so, navigate to Services | DHCP Server (or DHCPv6 Server/RA) and click on the tab for the bridged interface. Once there, make sure the Enable checkbox is unchecked (thus, disabling DHCP on the interface), and then click on the Save button. Taking these steps will ensure that DHCP functions properly on the bridged interface.
Finally, you should create a firewall rule on the bridged interface in order to allow DHCP traffic. You can do this by navigating to Firewall | Rules, clicking on the tab for the bridged interface, and clicking on one of the Add buttons on the page. Normally, we set the Source field to a network or IP address; DHCP, however, represents a special case, since DHCP clients do not have IP addresses (at least when the DHCP process begins). Thus, you must set the Source to 0.0.0.0, with Single host or alias as the type of source (this can be chosen in the Source drop-down box). The source port should be set to 68 (one of the IANA-assigned port for DHCP).
In the Destination field, set the destination to 255.255.255.255 (the address where DHCPDISCOVER messages are broadcast). Set the destination port to 67 (the other IANA-assigned port for DHCP). Set Protocol to UDP, and make sure the Action drop-down box is set to Pass. Click on the Save button when you are done making changes, and then click on Apply Changes on the main Firewall page. You should place this rule at the top of the list of rules for this interface to ensure that it applies to DHCP traffic. Once this rule has been added and the firewall rules have been reloaded, the clients in the bridged segment should be able to receive DHCP leases, using the DHCP server on the interface to which this interface has been bridged.