To bridge interfaces in pfSense, navigate to Interfaces | (assign) and click on the Bridges tab. On this tab, a table displaying all configured bridges will be present. To add a new bridge, click on the Add button below the table and to the right.

On the Bridge configuration page, you must select at least two interfaces in the Member Interfaces listbox. These are the interfaces that will be bridged. You may also enter a brief non-parsed description in the Description edit box.

Setting up a bridge can be as simple as selecting the interfaces, but clicking on  the Show Advanced button reveals a number of advanced options, many of them pertaining to spanning trees. The Cache size edit box allows you to set the size of  the bridge address cache. The default size is 2000 entries. The Cache expire time edit box allows you to set the timeout (in seconds) of address cache entries. The address cache entries will not be expired if this field is set to zero. The default expire time is 1200 seconds.

The next setting is the Span Port listbox. If an interface is set as a span port, then that interface will transmit a copy of each frame received by the bridge. This can be useful for monitoring network traffic. Note that the span interface cannot be one of the bridge members.

Next is the Edge ports listbox. An edge port is a port that is only connected to  one bridge. As such, it cannot create bridging loops in the network, and thus can transition straight to the forwarding state. The Auto Edge Ports listbox will  cause the selected ports to automatically detect edge status, which is the default  for bridge interfaces.

The PTP Ports listbox sets the selected interfaces as point-to-point links, which is necessary if the interface is to make a straight transition to forwarding. The Auto PTP Ports listbox allows you to select interfaces for which pfSense will automatically detect the point-to-point status by checking the full duplex link status. This is the default for bridged interfaces.

The Sticky Ports listbox allows you to mark an interface as sticky, which causes dynamically learned address entries from the interface to be treated as static once they enter the cache. These entries are never aged out of the cache or replaced, even if the learned address is seen on a different interface. Finally, the Private Ports listbox allows you to mark selected interfaces as private interfaces; these interfaces will not forward traffic to any other interface that is also private.

If you are going to use a spanning tree, you have to choose which STP to use. pfSense currently supports two protocols:

• STP: As described earlier, the original STP creates a spanning tree within a network of layer 2 bridges and disables links that are not part of the spanning tree, leaving a single path between any two nodes on the tree. This protocol was eventually standardized by the IEEE as 802.1D. STP is a relatively simple protocol, but it can take close to a minute for it to respond to a topology change.
• Rapid Spanning Tree Protocol (RSTP): Standardized by the IEEE as 802.1w, RSTP reduces the convergence time for responding to a topology change to a matter of seconds, but at a cost of some added complexity. STP has three bridge port roles—root, designated, and disabled—and RSTP adds two (alternate, which provides an alternate path to the root bridge, and backup, which is a backup or redundant path to a segment) for a total of five bridge port roles. This, and the fact that the number of switch port states is reduced to three (discarding, learning, and forwarding), helps decrease the convergence time.

You can set the STP options by scrolling down to the RSTP/STP section. Right above this section is the Enable RSTP/STP checkbox which you must check to enable these protocols. Next is the Protocol drop-down box, where you can select the protocol. The STP Interfaces listbox allows you to select which interfaces on which STP/ RSTP is enabled. The Valid time field allows you to specify how long a spanning tree configuration will be valid, while in the Forward time field, you can specify a delay for forwarding packets when RSTP or STP is enabled. The defaults for Valid time and Forward time are 20 seconds and 30 seconds respectively. The Hello Time field allows you to set the time between broadcasting STP configuration messages (when STP mode is invoked). The Priority field is where you can enter the bridge priority, and the Hold count field represents the number of packets which will be sent before rate limiting is invoked.

The final series of edit boxes set the spanning tree priority for each of the interfaces. You can set them to anything from 0 to 240 (in increments of 16); the default is 128. You can also set the path cost for each interface. By default, the path cost is calculated from the link speed. However, you can manually set it to anything from 1 to 200000000. Set it to 0 to change it back to the default behavior. When you are finished making changes, click on the Save button and from the main Bridges page, click on Apply Changes.

If you haven't done so already, you should disable DNS on the bridged interface. You can do this by navigating to Services | DHCP Server (or DHCPv6 Server/RA), clicking on the tab for the bridged interface, making sure the Enable checkbox is unchecked, and click on the Save button. This will ensure that DHCP continues to function properly.

You also need to create a firewall rule on the bridged interface to allow DHCP traffic. To do that, navigate to Firewall | Rules, click on the tab of the bridged interface, and click the Add button. Normally, the Source field is set to a network or IP address. DHCP is a special case, because a client does not yet have an IP address. Thus, you must set the Source to 0.0.0.0 (choose Single host or alias in the Source drop-down box).

Set the source port to 68. In the Destination field, set the destination to 255.255.255.255 and set the destination port to 67. In the Protocol drop-down box, select UDP. Make sure the Action drop-down box is set to Allow, and then click on the Save button, then click on Apply Changes on the main Firewall page. Make sure the new rule is at the top of the list of rules for the interface. Once this rule has been added, clients in the bridged segment should be able to receive DHCP leases.