Is bridge Mode LAN peer to peer traffic routing through pfsense?



  • I have a question regarding peer to peer traffic inside a bridged LAN.

    I have the following setup:

    • pfsense 2.3.1
      Bridge mode.
      1 WAN 1 LAN
      LAN hosts all have public IP addresses (/24)
      LAN side of pfSense has public IP
      pfSense LAN port goes to Dell PowerConnect switch
      All hosts with public IPs are connected to Dell switch
      rackspace at data center, they provide a circuit from their router
      I have no router in my setup (other than pfSense but it's in bridge mode)

    I have reviewed documentation, but can't find anything that tells me whether the peer to peer traffic is routing through the pfSense fw/bridge to the the ISP router then back to the f/w. Or, and this is what I thought, the local hosts are capable of seeing each other via ethernet and connect directly, via the ethernet switch, bypassing the fw/bridge.

    I do some significant host to host traffic, but have setup a separate network (via netGear f/w, router, switch, but I don't use the WAN port) using assigned private IP's for access (192.168.#.#).  I am more concerned with large email transmission.

    When an email is received it goes to the efs appliance, then from there transfers to the email host server.  Since they are all on public IP's, does the traffic go from appliance -> pfSense -> router -> pfSense -> email host ?  or appliance -> email host ?

    I have used some of the packet capturing and traffic tools, but think it's better to ask and see if someone can better enlighten me.  Also, my understanding is that when pfSense is in bridged mode it does not route.



  • Bridge is functionally equivalent to a switch but of course when you have a filtering bridge there's also the possibility to filter the traffic. The hosts that are on the same side of the bridge can talk to each other without going trough the bridge. However, all broadcast traffic still traverses the bridge regardless, for example ARP naturally must be able to do this to reach any host on the same "logical" network segment.