pfSense Bridges

pfSense Bridges

The bridge settings page in pfSense.

Bridging allows you to join two networks together. Bridging is distinct from routing which allows the networks to communicate independently as separate networks. Unlike routing, which takes place at the network layer of the OSI model, bridging takes place at the data link layer. Like a repeater, a bridge passes frames from one network segment to another. Unlike a repeater, a bridge monitors and records network traffic, eventually reaching the point where it can filter and forward traffic. This makes a bridge more intelligent than a repeater. In most cases, setting up pfSense bridges is relatively easy, but there are many options, which will be covered in this article.

pfSense Bridges: Basic Options

To bridge interfaces, first navigate to Interfaces -> (assign). Then click the “Bridges” tab and click the plus button. At “Member Interfaces“, select two interfaces by clicking on each interface while holding down the CTRL key. At “Description“, enter a description if desired. Then press the “Save” button to save the changes.

pfSense Bridges: Advanced Options

Setting up a bridge can be that easy. However, by clicking on “Show advanced options“, you can also configure other parameters. At “RTSP/STP“, there are several options relevant to setting up a spanning tree. The first is “Enable spanning tree options for this bridge“. A spanning tree, by definition, is a graph with no loops. A physical topology that contains switching or bridge loops is attractive for redundancy, yet a switched loop must not have loops. Loops will create broadcast radiation as broadcasts and multicasts are forwarded by switches out of every port. The switch or switches will repeatedly rebroadcast the broadcast messages, flooding the network. Since the Layer 2 (data link layer) header does not support a time to live (TTL) value, if a frame is sent into a looped topology, it can loop forever. The solution is to allow physical loops, but create a loop-free logical topology using the spanning tree protocol on the network switches.

pfSense Bridges

Advanced options for bridging in pfSense 2.0.

If you want to implement a spanning tree on your bridge, you must choose a protocol, which you can do with the “Protocol” option. There are two choices: Spanning Tree Protocol (STP), and Rapid Spanning Tree Protocol (RSTP). Spanning Tree Protocol is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The operation of STP entails the following: [1] selecting a root bridge (the bridge with the lowest bridge ID); [2] determining the least cost paths to the root bridge, and [3] disabling all other root paths. This should leave us with a minimum spanning tree. Obviously if the network topology changes either because new bridges are added or because old ones go offline, then the spanning tree will have to be re-created, and STP is able to do this automatically, although it is somewhat slow in this respect. STP is standardized as 802.1D.

In 2001, the IEEE introduced Rapid Spanning Tree Protocol (RSTP) as 802.1w. RSTP provides significantly faster spanning tree convergence after a topology change, including new convergence behaviors and bridge port rules to do this, and it was designed to be backwards-compatible with standard STP. While STP can take 30 to 50 seconds to respond to a topology change, RSTP is typically able to respond to changes much faster, sometimes within a few milliseconds of a physical link failure. It can typically respond to changes within 3 times the Hello time. The Hello time is a configurable time interval that RSTP uses for several purposes and is configurable; the default value is 2 seconds.

At “STP interfaces“, you can select which interfaces on which STP/RSTP is enabled. At “Valid time“, you can set the time that a STP configuration is valid. The default is 20 seconds. The minimum is 6 seconds, and the maximum is 40 seconds. At “Forward Time” you can set the time that must pass before an interface begins forwarding packets when STP/RSTP in enabled. The default is 15 seconds; the minimum is 4 seconds and the maximum is 30 seconds.

At “Hello time” (mentioned briefly in the description of RSTP), you can set the time between broadcasting of Spanning Tree Protocol configuration messages. The hello time may only be changed when operating in legacy STP mode. The default is 2 seconds; the minimum is 1 second and the maximum is 2 seconds.


At “Priority“, you can set the bridge priority for the Spanning Tree. The default is 32768, but you can set it anywhere from 0 to 61440. The “Hold Count” allows you to set the transmit hold count for the Spanning Tree; this is the number of packets transmitted before being rate-limited. The default is 6 but you can set it to anything from 1 to 10.

Next is a second “Priority” setting, one which allows you to set priorities for individual interfaces. The default is 128 but it can be set anywhere from 0 to 240. Finally, at “Path cost” you can set the Spanning Tree path cost of each interface. The path costs are used to generate the spanning tree. If nothing is entered here, the algorithm will by default calculate path cost based on the link speed. Set the cost to 0 to set it back to the default. The minimum is 1 and the maximum is 2000000000.

The next two settings are “Cache Size” and “Cache entry expire time“. “Cache Size” sets the size of the bridge address cache (the default is 100 entries). “Cache entry expire time” sets the timeout of address cache entries (the default is 240 seconds).

Next is “Span port“. Setting an interface as a span port (also referred to as “port mirroring”) causes that interface to transpit a copy of every frame received by the bridge. This is most useful for snooping a bridged network passively on another host connected to one of the span ports of the bridge. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion detection system, passive probe or real user monitoring (RUM) that is used to support application performance management (APM). The span interface cannot be part of the bridge member interfaces.

The next two settings are “Edge ports” and “Auto edge ports“. “Edge ports” allows you to set a port that is only connected to one bridge as an edge port so it will automatically transition to the forwarding state. RSTP still continues to monitor the port in case a bridge is connected. “Auto edge ports” allows an interface to automatically detect edge status. This is the default for all interfaces added to a bridge.

The next two settings are “PTP ports” and “Auto PTP ports“. “PTP ports” allows you to set the interface as a point-to-point link. This is required for straight transitions to forwarding and should be enabled on a direct link to another RSTP-capable switch. “Auto PTP ports” automatically detect the point-to-point status on an interface by checking the full duplex link status. This is the default for interfaces added to the bridge. The interfaces selected here will be removed from default autoedge status.

The last two settings (as of pfSense 2.0 anyway) are “Sticky ports” and “Private ports“. “Sticky” ports enables you to mark an interface as “sticky” it is never aged out of the cache or replaced, even if the address is seen on a different interface. “Private ports” enables you to mark an interface as private, so that it does not forward any traffic to any other port that is also a private interface.

If your network topology is simple, then it is probably enough to set up a simple network bridge. In other cases, however, it may behoove you to set up a spanning tree using STP or RST when setting up your pfSense bridges.

External Links:

Spanning Tree Protocol on Wikipedia

Interface Bridges at doc.pfsense.org

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy