Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP and bridge, why is STP necessary?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberfinn
      last edited by

      Im working on a CARP setup where the firewalls are bridging between wan and opt1.

      I have looked in the pfSense book and there they said that STP is necessary? Can anybody tell me why?

      If i know right, STP works i layer 2 and then relies on the mac-adresses for the interface. And for an exsample the OPT1 interface on the Master and backup pfsense-machine are different. How does it then works?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        By bridging OPT1 to WAN on two different machines, you create a switching loop between the WAN switch/vlan and the OPT1 switch/vlan. This can melt down a network without STP.

        You could instead use one of the other methods to disable the bridge interface on the inactive firewall, which also breaks the loop.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cyberfinn
          last edited by

          @jimp:

          By bridging OPT1 to WAN on two different machines, you create a switching loop between the WAN switch/vlan and the OPT1 switch/vlan. This can melt down a network without STP.

          You could instead use one of the other methods to disable the bridge interface on the inactive firewall, which also breaks the loop.

          If the two pfSense-serveres af connect both to a WAN switch and a OPT1 Switch. How can there be a loop between the interfaces?
          As I could read in book, they describe that the backup-server do not have assigne the CARP-ips before it is converted to Master. Then i do not understand, why it can create af loop. Can you try to explaine why?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The bridging is what creates the loop, not being plugged into WAN and OPT1.

            When you bridge two interfaces, you essentially bond them together and combine the WAN and OPT1 networks. Doing this once is fine, doing this twice creates a loop.

            Bridged interfaces do NOT have a CARP IP assigned, and work nothing like traditional interfaces with CARP IPs, which is why there are so many warnings. Unless you deactivate the bridge somehow (STP, script, devd, etc) both bridges are always active.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cyberfinn
              last edited by

              @jimp:

              The bridging is what creates the loop, not being plugged into WAN and OPT1.

              When you bridge two interfaces, you essentially bond them together and combine the WAN and OPT1 networks. Doing this once is fine, doing this twice creates a loop.

              Bridged interfaces do NOT have a CARP IP assigned, and work nothing like traditional interfaces with CARP IPs, which is why there are so many warnings. Unless you deactivate the bridge somehow (STP, script, devd, etc) both bridges are always active.

              Thanks for your reply. Now I understand why its creates a loop, because the bridged interfaces are both active. Then I will try using the STP method. Thanks for your help and time.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.