Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added source/manual/how-tos/images/lan_bridge_9.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions source/manual/how-tos/lan_bridge.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ the extra load placed upon it by the bridge.
When creating a LAN bridge it is essential that you have physical access to the device,
you will need to swap the LAN connection at a certain point.

Various bridge configurations are supported. This how-to describes how to configure a Layer 2 bridge by combining
the broadcast domains of three bridge member interfaces. The interfaces OPT1 (igb2), OPT2 (igb3), and OPT3 (igb1) are
bridged to form a single logical LAN interface.

**Step One**
-----------------
Configure OPNsense as normal, with a single LAN interface, make sure that it works correctly.
Expand Down Expand Up @@ -81,6 +85,20 @@ Select the tunable net.link.bridge.pfil_bridge and set the value to 1
.. image:: images/lan_bridge_7.png
:width: 100%

**Step Seven**
-----------------

OPT1, OPT2, and OPT3 are now configured as a single broadcast domain. However, IP traffic between bridge member

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest mentioning net.link.bridge.pfil_onlyip here for completeness as it influences the claim of "single broadcast domain".

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had the same thought at first. Then I reviewed the document again while looking at all bridge-related tunables:

net.link.bridge.ipfw: 0
net.link.bridge.member_ifaddrs: 1
net.link.bridge.log_mac_flap: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0

It turned out that the document only mentions tunables that need to be changed from their default values.

I want to either explain all of the bridge tunables or only document the ones that deviate from the defaults. Since the current how-to intentionally contains very little low-level technical detail, I chose not to clutter it with a complete list of tunables.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defaults may change and people have different focus to the document. It's ok for me to leave as suggested but I wanted to illustrate how you think to close the gap in the document but also introduce another point of future contention from someone else. Not everyone who is dissatisfied with the documentation will raise a ticket or mention it somewhere for us to see.

interfaces is still subject to the firewall rules and is blocked by the default **"Default deny / state violation"** rule
unless explicitly permitted.

If port isolation is not desired, add a firewall rule to allow the traffic: :menuselection:`Firewall --> Rules --> LAN`

.. image:: images/lan_bridge_9.png
:width: 100%

Repeat this step for IPv6, if required.

**Final**
-----------------
Once complete, the :menuselection:`Interface --> Assignments` page should look similar to this:
Expand Down