4 interfaces using bridging

rhouston

Hello everyone,

First time poster. Hope the question is not too noobish.

I am planning on using PFsense to segment my network. I currently have a flat network and would like to break it up into 3 zones (laptops, workstations, servers) with one extra zone being for the Internet connection. My question is can I bridge the 3 internal zones and not have to worry about changing current IP addresses? I plan on using the bridge filtering to restrict where the various systems can go.

Is this a doable solution with PFsense? Can you see any issues with the setup?

Thanks in advance for any and all input.

Rich

wallabybob

@rhouston:

Is this a doable solution with PFsense? Can you see any issues with the setup?

I'm not familiar with bridge filtering so I'm not commenting on your first question.

An issue with the setup is that its not very scalable in that all traffic between the segments has to be processed by the pfSense box which can quickly overload if you are using a low power CPU (e.g. because you want a quiet firewall, no fan noise) AND you have lots of cross segment traffic.

I would also recommend that you rework your existing network so you can readily change IP adresses. Software should always refer to systems by name, and using DHCP can simplify the network configuration part of a system configuration. pfSense can act as DHCP server for your network ad DNS server. If a system needs a permanent IP address you can setup DCHP so the same MAC address always gets the same IP address.

jimp

You can filter traffic on bridged interfaces, so that would work fine, but the other concerns noted by wallabybob are valid. There will be increased CPU usage with traffic between interfaces, but that would be the same regardless of them being bridged or routed. You would also need to be careful to have each of these segments on their own layer2 broadcast domain – either separate switches or separate VLANs.

rhouston

@jimp:

You can filter traffic on bridged interfaces, so that would work fine, but the other concerns noted by wallabybob are valid. There will be increased CPU usage with traffic between interfaces, but that would be the same regardless of them being bridged or routed. You would also need to be careful to have each of these segments on their own layer2 broadcast domain – either separate switches or separate VLANs.

Thanks to wallabybob and jimp for your posts. On the CPU usage, not an issue, we have a dual core 3 gig of ram system to do the job. This network is only 30 users so network usage should be reasonable. Mostly just telnet traffic to a set of AS/400's and web traffic. The segments will be on there own physical switches so that should be OK.

Wallabybob, I fully agree on your comments about DNS/naming verses using IP address. I have been pushing that for a wile but now hit the wall and need to make the network changes.

Is it fare to say that as long as I through enough hardware at PFSense it can scale up to fairly hi volumes? Do we have any examples that I can show the boss if needed?

Thanks guys!

Rich