[pfSense] FW: [pfSense Support] STP on Redundant Transparent Firewalls

Adam Thompson athompso at athompso.net
Tue Sep 13 13:16:58 EDT 2011 

I don’t know if your L3 topology can accommodate it, but running an HA pair of pfSense firewalls as your default gateway works extremely well.  Do you absolutely need the bump-on-the-wire design?  (Or, do you need it more than you need redundancy?)

 

AFAIK you’re correct about FreeBSD not supporting MST or PVST – that’s fairly explicit in the docs.  And yes, that does present some problems in a Cisco network… 

 

Using a separate switch on one side or the other (i.e. instead of using a VLAN) would probably work, although that involves some trade-offs you might not want.

 

There’s probably a way to add a triggered script so that the interfaces on the 2ry f/w stay down and not forwarding until that unit becomes the active f/w…?  Hmm, I can’t actually remember if pfSense is active/active or active/passive, maybe just ignore this one…

 

You can use LAGs to improve redundancy with a single firewall; at least that protects you against interface failure.  I have a couple of pfSense routers running in a one-armed topology using .1q-over-lacp, it works quite well although it seems you lose TCP offload when you turn on LACP.

 

Lastly, the obvious alternative would be to hire BSD Perimeter to make that topology work properly (i.e. let Chris’ brain explode, not yours)!

 

Good luck getting your config to work as expected.  Please let us all know how it works out… at least I’m very interested, can’t speak for the rest of the list.

 

-Adam Thompson

 <mailto:athompso at athompso.net> athompso at athompso.net

 

 

From: Austin G. Smith [mailto:Austin at digitalcompass.com] 
Sent: Tuesday, September 13, 2011 11:34
To: athompso at athompso.net; pfSense support and discussion
Subject: RE: [pfSense] FW: [pfSense Support] STP on Redundant Transparent Firewalls

 

we are using MSTP - confirmed w/ him yesterday.  

 

It appears (per freebsd configurations), we cannot do any tagged stp either.  This would present an issue if we aggregate vlans to the bridge.

 

We do have a wide range of vlans, however the layer2 topology is not that elaborate just yet...  We are aggregating everything to the 6509 at this time until we grow into needing a distribution layer.  We have a few access layers, but those switches are on the same vlan..

 

Yea, I think we are going to stick to some type of manual intervention if main fw fails.  thats all we can seem to conclude so far.

 

Austin Smith, A+, NET+, SMBE, MCSA

Director of Information Techology

Digital Compass

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20110913/d9e77644/attachment.html>

More information about the List mailing list