High Availability & Bridged/Transparent Firewall



  • My goal is to achieve High Availability (HA) when using pfSense bridging.  I understand the concepts of how to use pfSense in routed mode and have successfully used it in the past.  In this particular setup, there is a physical router in front of pfSense which is assigning IPv6 subnets to all VLANs (via Prefix Delegation).  This is something pfSense can't yet do as of 2.4.x.  Since I don't want to be double-NATting, pfsense is a bridge now.

    If I had two physical pfSense firewalls, this wouldn't be so terrible - I could LAG/LAGG between one or more switches and physical firewall ports; the downed interfaces would be supplemented by the configuration on the switch.

    The problem is when everything is virtualized.  LAG/LAGG isn't possible across different vSwitches, regardless if the physical host is interfaced via LAG/LAGG.  In my example, I'm working with a VMWare standard vSwitch and a KVM OVS.

    What kind of options are there?

    Simplified setup - I have more vlans than shown here:

    **********
                      * Router *
                      **********
                            |
                            |
    ************      **********      ************

    • ESXi1    –-----        ------- KVM1    *
      ----------      * Switch *      ----------
    • pfSense1 ~*        *~ pfSense2 *
      ************      **********      ************
                              ~
                              ~
                        ***********
                        * Devices *
                        ***********

    ---- = Connection on the router side (vlan 2)

    
    Pfsense bridges VLANs 2 & 3


  • We made terrible experiences with CARP + Bridged Firewall, beginning from STP ending at speed and package loss of >70%…

    Moreover I'm not quiet sure what you are planing to do or what is your "question"?



  • The question is how do you achieve high availability with two pfSense firewalls in Transparent Mode?

    Seems like the only way i could do it is if I have the capability, to put a script on a switch to monitor the IPs of each pfSense firewall and if the one bing pinged stops responding, then flip some vlans over to the other one.



  • Following up on this topic.  I never got anywhere with it.  After reading many posts which suggested solutions such as utilizing STP to handle the potential issues that would arise from the mac address changes on the same physical interfaces - loops, etc, I've had to abandon the idea of using pfSense as a high availability solution when bridging.

    There just doesn't seem to be a way to really handle it without complex networking and/or adding more hardware across each side.  pfSense seems to need a bridge-specific solution to make this work without significant effort or alteration in my environment - so I've had to end the search and just use pfSense as a router as well.