How to connect pfSense to upstream redundant switches?

321liftoff

I'm using pfSense as a transparent firewall as described in the Netgate documentation here.

I want to enable an alternate layer-2 path to the external default gateway for the VLAN, for the purposes of redundancy. What options are feasible?

Below are options that I am aware of:

• Multi-WAN functions are not feasible as described here since pfSense is not the gateway of the clients.
• Define another WAN port with no IP address and add it to the bridge. Depend upon the Spanning Tree Protocol of the upstream switches to detect the network loop and disable one of the links. When a switch goes down, the other link should be available to continue service. This will not not allow increased bandwidth, even when both links are available, and there may be some latency for STP to recover when the active path goes down.
• Use LAGG to bind two physical interfaces. It requires the two pfSense interfaces to be connected to two ports in a LAGG configuration, either both ports of a single switch or each port from different switches but both within a stackable switch configuration. LAGG will provide the redundancy, increased throughput benefits, and shouldn't have latency concerns..

LAGG seems to be the only descent option. Is there another option to consider?

NogBadTheBad

@321liftoff Access switch 1 & 2 should be in a stack with a LACP link to each individual stack member and the same for the pfSense connection to the access-switch stack.