Pfsense pure bridging setup
Currently i am running PF on OpenBSD with the following setup
Internet –> Switch --> (external) OBSD (PF) (internal) --> Switch --> Load Balancer --> Switch --> LAN
The OBSD has 3 interfaces
fxp0 --> external
fxp1 --> internal
fxp2 --> mgmt
Both fxp0 and fxp1 do not have any IP address and they are running in bridging mode.
fxp2 is used for maintenance purpose (SSH and etc)
I would like to know if it possible to setup pfsense with the abovementioned scenario?
I have tried pfsense 101 briefly and it requires IP address on the WAN interface which i dont wish to define because i do not want to make any changes/waste IP addresss.
You can use just a fake IP-Adress there that is not used anywhere in your network. As it is a bridge and doesn't do routing it will work. You then can only configure it from the management subnet, which itself won't be able to get to the internet due to the broken routing. However you will lose the ability to install packages, the rrd quality graphs won't work, the pfSense can't be used to do dns forwarding, …
See http://pfsense.trendchiller.com/transparent_firewall.pdf for more details.
Thank you for you reply. I could still update the package because i could route the management IP address to the MGMT vlan which is able to reach to internet.
I dont understand why do we need to fake a IP Address if it is not needed at all? Is it possible to have an option to disable it?
Also if i were to setup a pair of pfsense for redundancy … do i need to add another nic card for pfsync? hmnmn maybe i could use the mgmt interface for pfsync ...
That's by design. The pfSense itself needs WAN-Access for the already mentioned reasons. You also need at least one IP to manage the device.
CARP won't work on bridges. This is a limitation of CARP, not of pfSense afaik.
Actually what i have right now is a pair of OBSD OF firewall and using STP for redundancy :)
and the fxp2 is used for MGMT cum pysfync interface.
The setup was based on http://seattlecentral.edu/~dmartin/docs/bridge.html
Bridged interfaces in pfSense support STP too and as you can configure pfSync independently from carp the first solution from that doc might be doable with pfSense though you still need a fake IP for the WANs. If you test this let us know how it works.