====== PFSense - Network - Configure Bridge over multiple NICs as LAN ======
A bridge interface creates a logical link between two or more Ethernet interfaces or encapsulation interfaces.
This link between the interfaces selectively forwards frames from each interface on the bridge to every other interface on the bridge.
A bridge can serve several services, including isolation of traffic between sets of machines so that traffic local to one set of machines is not available on the wire of another set of machines, and it can act as a transparent filter for IP datagrams.
This will work at layer 2 broadcast/collision domain.
The basic idea is:
* Assign and Enable additional NICs
* Create Bridge Interface
* Assign Bridge Interface an IP Address
* Create Interface Group
* Add Firewall Rule
* Add DHCP Server on the Bridge
* Remove IP address from EM1
----
===== Assign and Enable additional NICs =====
Enable all the NICs you have and want included in the local LAN Bridge.
In pfSense, navigate to **Interfaces -> Assignments**
----
===== Enable interfaces needed for the bridge =====
For each interface assigned, navigate to that interface via the **Interfaces -> Assignments** menu item, and ensure it is **Enabled** and that it has **None** specified as the IPv4 and IPv6 address.
**NOTE:** Your interface names may be slightly different (e.g. LAN, OPT1, OPT2).
----
===== Create Bridge Interface =====
Create a virtual bridge interface across all of the NICs you want included in the bridge.
Use the menu **Interfaces -> Assignments -> Bridges**.
Use the **Add +** button to add a bridge and select all interfaces you want as part of the bridge, but do not include the WAN interface.
----
===== Assign an IP address to the bridge =====
Assign an IP address (IPv4, minimally) to the bridge via the **Interfaces -> BR0** menu.
**WARNING:** __Assigned Bridge MAC Addresses and Windows__.
The MAC address for a bridge is determined randomly when the bridge is created, either at boot time or when a new bridge is created.
That means that on each reboot, the MAC address can change.
In many cases this does not matter, but Windows Vista, 7, 8, and 10 use the MAC address of the gateway to determine if they are on a specific network.
If the MAC changes, the network identity will change and its status as public, private, etc. may need to be corrected.
To work around this, enter a MAC address on the assigned bridge interface to spoof it.
Then clients will always see the same MAC for the gateway IP address.
----
===== Create Interface Group =====
Create an interface group including all NICs and the bridge interface.
This will be used for LAN firewall rules.
Use the menu **Interfaces -> Assignments -> Interface Groups**.
Use the **Add +** button to add the group and select all interfaces you want as part of the bridge group, including the bridge itself, but do not include the WAN interface.
----
===== Add Firewall Rule =====
Add a firewall rule to allow traffic to flow amongst the interfaces of the interface group, as a single, unconstrained LAN.
Select **Firewall -> Rules -> Bridge** and add a rule like this
Action: Pass
Interface: Bridge
Address Family: IPv4+IPv6
Protocol: Any
Source: Any
Destination: Any
----
===== Add DHCP Server on the Bridge =====
Assuming you want to run a DHCP server on your local LAN, configure the DHCP server on the Bridge interface via the menu item **Services -> DHCP Server -> BR0**.
Enable DHCP server on BR0 interface.
Range: 192.168.1.100 to 192.168.1.199.
----
===== Remove IP address from EM1 =====
Finally, as cleanup, you should remove the IP address from LAN.
You may need to disable the DHCP server on that interface first.
Select **Interfaces -> Assignments -> LAN**.
Set IPv4 and IPv6 Configuration Type to None.
----
At this point you should have a fully functional, local area network bridge across all your interfaces.
----