Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense pure bridging setup

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    6 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kellogs
      last edited by

      Currently i am running PF on OpenBSD with the following setup

      Internet –> Switch --> (external) OBSD (PF) (internal) --> Switch --> Load Balancer --> Switch --> LAN

      The OBSD has 3 interfaces
      fxp0 --> external
      fxp1 --> internal
      fxp2 --> mgmt

      Both fxp0 and fxp1 do not have any IP address and they are running in bridging mode.

      fxp2 is used for maintenance purpose (SSH and etc)

      I would like to know if it possible to setup pfsense with the abovementioned scenario?

      I have tried pfsense 101 briefly and it requires IP address on the WAN interface which i dont wish to define because i do not want to make any changes/waste IP addresss.

      Thank you
      -K

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        You can use just a fake IP-Adress there that is not used anywhere in your network. As it is a bridge and doesn't do routing it will work. You then can only configure it from the management subnet, which itself won't be able to get to the internet due to the broken routing. However you will lose the ability to install packages, the rrd quality graphs won't work, the pfSense can't be used to do dns forwarding, …

        See http://pfsense.trendchiller.com/transparent_firewall.pdf for more details.

        1 Reply Last reply Reply Quote 0
        • K
          kellogs
          last edited by

          Hi Hoba,

          Thank you for you reply. I could still update the package because i could route the management IP address to the MGMT vlan which is able to reach to internet.

          I dont understand why do we need to fake a IP Address if it is not needed at all? Is it possible to have an option to disable it?

          Also if i were to setup a pair of pfsense for redundancy … do i need to add another nic card for pfsync? hmnmn maybe i could use the mgmt interface for pfsync ...

          Cheers,
          -K

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            That's by design. The pfSense itself needs WAN-Access for the already mentioned reasons. You also need at least one IP to manage the device.

            CARP won't work on bridges. This is a limitation of CARP, not of pfSense afaik.

            1 Reply Last reply Reply Quote 0
            • K
              kellogs
              last edited by

              Thanks Hoba.

              Actually what i have right now is a pair of OBSD OF firewall and using STP for redundancy :)
              and the fxp2 is used for MGMT cum pysfync interface.

              The setup was based on http://seattlecentral.edu/~dmartin/docs/bridge.html

              Cheers,
              -K

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Bridged interfaces in pfSense support STP too and as you can configure pfSync independently from carp the first solution from that doc might be doable with pfSense though you still need a fake IP for the WANs. If you test this let us know how it works.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.