When I built my OpenBSD router, I separated my wifi and Ethernet networks, because the bridge solution was too slow.

I came back to it, because of OpenBSD. Actually, one of my laptops runs OpenBSD isotop, which uses trunk, which is a failover system : if my cable connection fails (which happens quite often with a laptop), the connection passes automatically on wifi.

Here is the thing.

I needed the laptop’s two network interfaces, wifi and Ethernet, to be in the same logical network (apparently). So it did not go so well as they were really separated.

So I tried again to put both router’s lan interface on a bridge. And there it worked.

Interfaces’ configuration

As a general rule, I did like the wifi network was absorbed in the Ethernet one. The wifi network had only mobile connections, no fixed hosts. Opposite, the Ethernet network has fixed hosts, first and foremost, the server itself. So better use the original eth interface configuration on the bridge to avoid unnecessary renumbering and debugging.

The re0 interface facing the $internet does not change.


Just setting the bridge’s members.

add vether0
add re2
add athn0


We setup the lan virtual interface, vether0. The dhcpv6 client shall give it a public ipv6 address later. This is truly a copy of the original /etc/hostname.re2.

inet6           fd00:22:dec:e2::1               64


The two physical interfaces have no more network config elements.

mediaopt        hostap mode 11n
chan            6
nwid            ...
wpaakms         psk
wpaprotos       wpa2
wpakey          ...



DHCPv6 client

I still use Dhcpcd. Its job is mainly to get the ipv6 prefix from my ISP and add the public address to vether0.

# Persist interface configuration when dhcpcd exits.

interface re0
        nooption dhcp6_vivco
        ia_na 1

    # 226 = e2 en hexa; 160 = a0 en hexa
    #ia_pd 1 re2/226/64 athn0/160/64

    ia_pd 1 vether0/226/64

fqdn ptr


PF has to use both virtual and physical interfaces :


## General

set block-policy drop
set skip on lo
antispoof       for ($lan)
pass in quick on { $lan, $eth,$wifi }   proto udp   to any    port bootps
pass        from { (self), ($lan:network) }


First, let’s have a look at the macros in the first lines which shall help make it easier to read.



The antispoof line requests to block all connections pretending to have origin addresses inside the $lan network, but which actually don’t come from this very same network and thus are actually fraudulent.

antispoof       for ($lan)

DHCP requests authorizations

NB: this explanation is really my best guest. I cannot pretend to understand it all.

This line let pass all DHCP requests coming in on Ethernet and wifi interfaces. DHCP requests actually arrive on those interfaces first before being assigned to vether0 and have not yet any actual address with $lan network. Which make sense as its the DHCP protocol’s job.

pass in quick on { $lan, $eth,$wifi }   proto udp   to any  port bootps

It also accept connections on $lan interfaces because when renewing leases, it already has an established address.

I believe it’s the reason you need to let pass on both virtual and physical interfaces. Without this line I cannot run the network.

Last line

pass        from { (self), ($lan:network) }

Finally the last line let pass all packets from the router itself, with the well-named self keyword, or $lan network.


I still use Dnsmasq as DHCP server and local DNS.

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.


################ eth

Once again I just took the original eth configuration, changed the name for vether0 and commented wifi interface options.