Pfsense Bridge with LFP (Link fail propagation)

  • I am wondering if anyone has implemented or has pointers to similar solution.

    My pfsense box is in bridging mode between two switches. If one switch goes down I want pfsense to turn down the corresponding port on other side of the bridge.


    If SW2 fails port1 on bridge still says up hences black holing my traffic.

    I have searched through forums and have not found any solutions. Please note pfsense in this case is working as transparent firewall with snort.

  • bump bump

  • ????

    I'm not sure you understand what you're asking. While it may be possible to write a shell script that will do that, I don't understand the need. If the other switch goes down, all attempts to reach devices on it will soon fail, as the arp cache will soon time out on the mac addresses. Switches use those mac addresses to know where to forward a frame. Once the mac times out, the switch will no longer attempt to forward frames, just as effectively as shutting down that port.

  • Hey JKnott,

    Thanks for replying. To add more details, I have pfsense running in transparent firewall mode and its not doing any routing. SO basically

    1| 2|
    1| 2|

    The two links are in static LAG since pfsense does not support LACP in bridging mode.

    So lets say link2 on SW2 goes down then SW2 link2 will not go down and SW1 will keep sending traffic to pfsense and pfsense could not send it out since its a bridge.

    I can definitely use a script but I was hoping if there is something internal in pfsense to do.

  • @hkjarral

    First off, it is not normal switch behavior for one port to shut down, just because another one is down.

    Again, if the other switch fails, then the traffic should seen stop as soon as the mac addresses time out. Switches and bridges only learn by passing traffic. If they can't pass, they can learn and the cache times out. This has always been a fundamental characteristic of a switch or bridge. Why do you think the traffic is trying to go there? Have you seen it happen?

    Here's what happens with IP. When a host wants to send a packet, and doesn't know the mac address, it does an arp request which will return the mac address, if the destination is reachable. That mac, in an Ethernet frame, is then used to carry the packet over the local network. When a frame passes through a bridge or switch, the source mac is associated with the port it came in on. It then forwards the frame out the appropriate port, if known, or floods all ports. After a period of time, without traffic, the switch or bridge will then forget the mac address. Should the other switch go down, then the arp request will fail, there will be no return traffic to tell the bridge where the destination is and the attempt will simply fail. It does not create a "black hole". Why do you think it does? Have you experienced it? What were the symptoms.

    Also, with "So lets say link2 on SW2 goes down then SW2 link2 will not go down and SW1 will keep sending traffic to pfsense and pfsense could not send it out since its a bridge." it sounds if only 1 of 2 links fails. If so, traffic should still go over the other one. That's the whole point of link aggregation, where if you lose a link, you only lose bandwidth, not the entire connection.

  • Hey JKnott,

    Thank you so much for detailed insight.

    The thing I have noted with pfsense that it does not pass LACP packets when SW1 and SW2 links are set with LACP so I used static LAG, as for static LAG it does not had any mechanism to check link state, if Link is up it ll keep sending traffic to other end and since other end is bridge, it wont pass over to corresponding pair link hence black holing the traffic.

    My pfsense is transparent to network, it not doing any routing or link aggregation.

    I know its kind of complex setup but thats why I posted hoping to get some insight, guess I dont have any other options except scripting.

Log in to reply