All HowTo's pfSense & Netgate

pfSense Bridge Ethernet & SFP+ Configuration (on the Netgate 7100)

This article discusses the process to Bridge the Ethernet switch with the SFP+ ports on the Netgate 7100 firewall appliance. The process is simple enough but there is amazingly little documentation available to help you through the process.

As indicated in the title, we’re going to Bridge ports on the Netgate 7100 built-in 8 port switch, with one of the built-in SFP+ ports.

The two interface types are not the same switch and therefore we need to tell pfSense to logically bind (Bridge) them together. We do this at the VLAN level. In other words, we’re inviting the SFP+ port to participate in the LAN VLAN.

The first step is option. Read this paragraph to understand why it’s optional. These options (as set in the screenshot) are set as such because we want to be able to apply firewall rules to the Bridge, rather than the VLANs themselves. If you agree, set the following options as I have. Else, leave them how they were.

You can see that I’ve created the Bridge with the two interfaces (VLANs); LAN and OPT1. OPT1 is the 0x1 (first) SFP+ port. No advanced settings were touched.

Viewing the “Edit” settings of the above:

The following example shows how I’ve assigned the Bridge “Bridge_0x1_LAN”. Just in-case you’re wondering, I’ve assigned the Bridge as VLAN ID 20. But you needn’t worry about that.

You can ignore then “Recovery…” VLAN.

Finally, I’ve assigned the following firewall to the Bridge VLAN. This is only done if you opted to set the firewall rules on the Bridge rather than the Interfaces (VLANs) as discussed in the first step of this article.

At this point you’re done. You should be able to see data pass through the pfSense firewall if you have a device (switch) on the SFP+ port (with a computer plugged into that switch), and a computer plugged into one of the Netgate 7100 switch ports.

TIP: You don’t need to set an IP address on the Bridge but you can. If you set the IP address on the LAN, you should be fine. Remember, they’re logically grouped now so whatever hits the SFP+ port, will be “switched” to the LAN ports.

One comment

  1. Indeed, its a very simple step to take, but you have no idea how much headaches and sleepless nights you have saved me. Thanks very a million times.

Leave a Reply

Your email address will not be published. Required fields are marked *