Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redundant interfaces/bridges and WAN, DMZ, LAN roles

    General pfSense Questions
    4
    4
    413
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miketubby
      last edited by miketubby

      I am wanting to replace a legacy Linux box acting as a firewall with pfSense 2.6.0.
      My system uses 2 x 2 x 2 redundancy (duplicated switches, duplicated power, duplicated everything) on the upstream and downstream interfaces.
      I have a Sophos XG230 which I have installed 2.6.0 CE on it and what I want to acheive is ige0 and ige1 was "WAN", ige2 and ige3 as "DMZ" adn ige4 and ige5 as "LAN", i.e. three roles (WAN, DMZ and LAN) each on a pair of interfaces. I would prefer the interfaces operate in what Linux calls bond mode 1 (high availablity) but alternatively they could be three bridges with STP.
      I can't see how to assign the WAN role on to a pair of interfaces or a bridge and I'm having to move around the LAN interface to create the bridges from the webConfigurator. Am I missing something or do I need to do it a different way?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @miketubby
        last edited by

        @miketubby said in Redundant interfaces/bridges and WAN, DMZ, LAN roles:

        I would prefer the interfaces operate in what Linux calls bond mode 1 (high availablity) but alternatively they could be three bridges with STP.

        The set up on pfSense must match to that on the connected devices naturally, e.g. a switch. So is you have configured a bond on the connected device you have to use this type on pfSense itself.

        A bond for high availability in Linux might be the same as a LAGG in failover mode in pfSense, I guess.
        See the docs for details: LAGG (Link Aggregation)

        Consider that the network ports must not be assigned to an interface, when you want to add them to a LAGG.
        After you have configured the LAGG go to interface > assignments and select the proper LAGG next to WAN, LAN, or create a new interface.

        Bridges go a bit different. Here you have to add existing interfaces to a (new) bridge as members.
        Then again, on the assignment page you can switch the interface to the virtual bridge device.
        When using bridges you should assign an IP to the bridge after and remove IPs from the member interfaces.

        1 Reply Last reply Reply Quote 0
        • J
          JimBob Indiana
          last edited by

          And with bridges you have to tweak tunables so the firewall allows communication between all clients.

          Not hard just easy to over look and you’ll be pulling your hair out trying to figure why the networked printer isn’t available to all clients.

          1 Reply Last reply Reply Quote 0
          • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            The 2 links in a lagg is a much nicer setup but the switches should support cross-chassis LACP really.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.