CARP and bridge, why is STP necessary?



  • Im working on a CARP setup where the firewalls are bridging between wan and opt1.

    I have looked in the pfSense book and there they said that STP is necessary? Can anybody tell me why?

    If i know right, STP works i layer 2 and then relies on the mac-adresses for the interface. And for an exsample the OPT1 interface on the Master and backup pfsense-machine are different. How does it then works?


  • Rebel Alliance Developer Netgate

    By bridging OPT1 to WAN on two different machines, you create a switching loop between the WAN switch/vlan and the OPT1 switch/vlan. This can melt down a network without STP.

    You could instead use one of the other methods to disable the bridge interface on the inactive firewall, which also breaks the loop.



  • @jimp:

    By bridging OPT1 to WAN on two different machines, you create a switching loop between the WAN switch/vlan and the OPT1 switch/vlan. This can melt down a network without STP.

    You could instead use one of the other methods to disable the bridge interface on the inactive firewall, which also breaks the loop.

    If the two pfSense-serveres af connect both to a WAN switch and a OPT1 Switch. How can there be a loop between the interfaces?
    As I could read in book, they describe that the backup-server do not have assigne the CARP-ips before it is converted to Master. Then i do not understand, why it can create af loop. Can you try to explaine why?


  • Rebel Alliance Developer Netgate

    The bridging is what creates the loop, not being plugged into WAN and OPT1.

    When you bridge two interfaces, you essentially bond them together and combine the WAN and OPT1 networks. Doing this once is fine, doing this twice creates a loop.

    Bridged interfaces do NOT have a CARP IP assigned, and work nothing like traditional interfaces with CARP IPs, which is why there are so many warnings. Unless you deactivate the bridge somehow (STP, script, devd, etc) both bridges are always active.



  • @jimp:

    The bridging is what creates the loop, not being plugged into WAN and OPT1.

    When you bridge two interfaces, you essentially bond them together and combine the WAN and OPT1 networks. Doing this once is fine, doing this twice creates a loop.

    Bridged interfaces do NOT have a CARP IP assigned, and work nothing like traditional interfaces with CARP IPs, which is why there are so many warnings. Unless you deactivate the bridge somehow (STP, script, devd, etc) both bridges are always active.

    Thanks for your reply. Now I understand why its creates a loop, because the bridged interfaces are both active. Then I will try using the STP method. Thanks for your help and time.


Log in to reply