Bridging Two Internal Networks

When bridging two internal networks as described in Internal Bridges there are some special considerations to take for certain services on the firewall.

Note

There are additional requirements and restrictions when bridging wireless interfaces because of the way 802.11 functions. See Bridging and wireless for more information.

DHCP and Internal Bridges

When bridging one internal network to another, two things need to be done. First, ensure that DHCP is only running on the interface containing the IP address and not the bridge members without an address. Second, an additional firewall rule may be necessary at the top of the rules on the member interfaces to allow DHCP traffic.

Note

This only applies to filtering being performed on member interfaces, not filtering performed on the bridge.

When creating a rule to allow traffic on an interface, normally the source is specified similar to OPT1 Subnet so that only traffic from that subnet is allowed out of that segment. With DHCP, that is not enough. Because a client does not yet have an IP address, a DHCP request is performed as a broadcast. To accommodate these requests, create a rule on the bridge member interfaces with the following settings:

  • Navigate to Firewall > Rules on the tab for the bridge member

  • Click fa-turn-up Add to add a new rule to the top of the list

    Protocol:

    UDP

    Source:

    0.0.0.0

    Source Port:

    68

    Destination:

    255.255.255.255

    Destination port:

    67

    Description:

    Allow DHCP

  • Click Save and Apply Changes

The rule will look like Figure Firewall rule to allow DHCP.

../_images/dhcp-bridged.png

Firewall rule to allow DHCP

After adding the rule, clients in the bridged segment will be able to successfully make requests to the DHCP daemon listening on the interface to which it is bridged.

DHCPv6 is a bit more complicated to allow since it communicates to and from both link-local and multicast IPv6 addresses. See Figure Firewall Rule to Allow both DHCP and DHCPv6 for the list of required rules. These can be simplified with aliases into one or two rules containing the proper source network, destination network, and ports.

../_images/dhcp-bridged-ipv6.png

Firewall Rule to Allow both DHCP and DHCPv6