Difference Between Assigning an IP Address to a Firewall Interface vs. Assigning It to a Bridge Interface?
-
Hello Professionals,
My PFSense Plus firewall has two interfaces:
- LAN
- Server
This firewall is positioned between two switches — one connected to the LAN interface and the other to the Server interface — and is used to control traffic between these two internal network segments. In other words, it functions as an internal firewall.
When I initially configured the device, I set it up without much trouble by creating a bridge.
I assigned an IP address to the LAN interface, enabled the Server interface without assigning it an IP address, and then bridged the two. This setup worked as intended.Now, I’m planning to add another internal firewall and configure High Availability (HA) using CARP. This raises a few questions.
If I had assigned the IP address to the bridge interface itself rather than to the LAN interface, how would the behavior have changed compared to my current setup? If the two configurations function the same, are there any special considerations I should keep in mind when setting up CARP?
This questioning came up when I started wondering: when setting up a CARP VIP, which interface should it be assigned to — the LAN interface or the bridge interface?
Thank you for your time.
-
@eeebbune
If you pull the network cable the system disables the IP configuration of the respective interface (because of missing carrier). If it is a bridge member and has the IP defined on, this tears down the other bridge members as well.
If the IP definition is on the bridge this has no impact on the other members. -
Thank you for your reply.
In that case, would you change assigning IP from LAN interface to Bridge interface? Changing configuration is better in terms of managing network?
-
@eeebbune
Yes, it's recommended to assign the IP to the bridge. And in case, that any member interface is hardware base, I'd change this.
If all interfaces are virtualized, I think, it makes no big difference.