Creating a Bridge¶
In pfSense® software, bridges are added and removed at Interfaces > Assignments
on the Bridges tab. Using bridges, any number of ports may be bound together
easily. Each bridge created in the GUI will also create a new bridge interface
in the operating system, named
X starts at 0 and increases
by one for each new bridge. These interfaces may be assigned and used like most
other interfaces, which is discussed later in this chapter.
To create a bridge:
Navigate to Interfaces > Assignments on the Bridges tab.
Click Add to create a new bridge.
Select at least one entry from Member Interfaces. Select as many as needed using
Add a Description if desired.
Click Show Advanced Options to review the remaining configuration parameters as needed. For most cases they are unnecessary.
Click Save to complete the bridge.
A bridge may consist of a single member interface, which can help with migrating to a configuration with an assigned bridge, or for making a simple span/mirror port.
Advanced Bridge Options¶
There are numerous advanced options for a bridge and its members. Some of these settings are quite involved, so they are discussed individually in this section.
(Rapid) Spanning Tree Options¶
Spanning Tree is a protocol that helps switches and devices determine if there is a loop and cut it off as needed to prevent the loop from harming the network. There are quite a few options that control how spanning tree behaves which allow for certain assumptions to be made about specific ports or to ensure that certain bridges get priority in the case of a loop or redundant links. More information about STP may be found in the FreeBSD ifconfig(8) man page, and on Wikipedia.
The Protocol setting controls whether the bridge will use IEEE 802.1D Spanning Tree Protocol (STP) or IEEE 802.1w Rapid Spanning Tree Protocol (RSTP). RSTP is a newer protocol, and as the name suggests it operates much faster than STP, but is backward compatible. The newer IEEE 802.1D-2004 standard is based on RSTP and makes STP obsolete.
Select STP only when older switch gear is in use that does not behave well with RSTP.
The STP Interfaces list reflects the bridge members upon which STP is
Ctrl-click to select bridge members for use with STP.
Set the Valid Time for a Spanning Tree Protocol configuration. The default
20 seconds. The minimum is
6 seconds and the maximum is
The Forward Time option sets the time that must pass before an interface
begins forwarding packets when Spanning Tree is enabled. The default is
seconds. The minimum is
4 seconds and the maximum is
A longer delay will be noticed by directly connected clients as they will not be able to pass traffic, even to obtain an IP address via DHCP, until their interface enters forwarding mode.
The Hello Time option sets the time between broadcasting of Spanning Tree
Protocol configuration messages. The Hello Time may only be changed when
operating in legacy STP mode. The default is
2 seconds. The minimum is
second and the maximum is
The Bridge Priority for Spanning Tree controls whether or not this bridge
would be selected first for blocking should a loop be detected. The default is
32768. The minimum is
0 and the maximum is
61440. Values must be a
4096. Lower priorities are given precedence, and values lower
32768 indicate eligibility for becoming a root bridge.
The transmit Hold Count for Spanning Tree is the number of packets
transmitted before being rate limited. The default is
6. The minimum is
1 and the maximum is
The Priority fields set the Spanning Tree priority for each bridge member
interface. Lower priorities are given preference when deciding which ports to
block and which remain forwarding. Default priority is
128, and must be
The Path Cost fields sets the Spanning Tree path cost for each bridge
member. The default is calculated from the link speed. To change a previously
selected path cost back to automatic, set the cost to
0. The minimum is
1 and the maximum is
200000000. Lower cost paths are preferred when
making a decision about which ports to block and which remain forwarding.
Cache Size sets the maximum size of the bridge address cache, similar to the
MAC or CAM table on a switch. The default is
100 entries. If there will be a
large number of devices communicating across the bridge, set this higher.
Cache entry expire time controls the timeout of address cache entries in
seconds. If set to
0, then address cache entries will not be expired. The
240 seconds (Four minutes).
Selecting an interface as the Span port on the bridge will transmit a copy of every frame received by the bridge to the selected interface. This is most useful for snooping a bridged network passively on another host connected to the span ports of the bridge with something such as Snort, tcpdump, etc. The selected span port may not be a member port on the bridge.
Edge Ports / Automatic Edge Ports¶
If an interface is set as an Edge port, it is always assumed to be connected to an end device, and never to a switch; It assumes that the port can never create a layer 2 loop. Only set this on a port when it will never be connected to another switch. By default ports automatically detect edge status, and they can be selected under Auto Edge ports to disable this automatic edge detection behavior.
PTP Ports / Automatic PTP Ports¶
If an interface is set as a PTP port, it is always assumed to be connected to a switch, and not to an end user device; It assumes that the port can potentially create a layer 2 loop. It should only be enabled on ports that are connected to other RSTP-enabled switches. By default ports automatically detect PTP status, and they can be selected under Auto PTP ports to disable this automatic PTP detection behavior.
An interface selected in Sticky Ports will have its dynamically learned addresses cached as though they were static once they enter the cache. Sticky entries are never removed from the address cache, even if they appear on a different interface. This could be used a security measure to ensure that devices cannot move between ports arbitrarily.
An interface marked as a Private Port will not communicate with any other port marked as a Private Port. This can be used to isolate end users or sections of a network from each other if they are connected to separate bridge ports marked in this way. It works similar to “Private VLANs” or client isolation on a wireless access point.