Bridging/switching interfaces



  • Hi,

    I am wondering if it is possible to use two or more interfaces on a PFSense as Layer 2 switched interfaces instead of Layer 3 routed interfaces. I still want to use the firewall as a layer 3/routed device, not as a transparent firewall, but have multiple interfaces on the same layer 2 broadcast domain and only inspect traffic from these interfaces when traffic is routed to another subnet off another interface.

    I am probably not describing this exceptionally well but if anyone is familiar with an ASA 5505 which uses VLAN/SVI interfaces I am looking to do the same thing - assign a single IP address to two or more physical firewall interfaces. Each of these physical interfaces connect to hosts on the same subnet and the firewall does not inspect traffic switched between them but will inspect traffic routed to or from these interfaces via the SVI. Juniper SSGs can do a similiar thing with their Bridge Group function.

    Thanks
    VeeDee


  • Netgate Administrator

    Yes you can. However you will get much better performance using a real switch, even a very cheap one.

    Here's a post I wrote about it some time ago. It was for 2.0.3 but I don't think anything has changed for 2.1:
    http://forum.pfsense.org/index.php/topic,48947.msg269592.html#msg269592

    Steve



  • Thanks Steve for your quick reply and sorry for being so slow myself.

    I am just waiting on some cables at the moment before I can build my box and try out your suggestion. I would agree a switch with dedicated ASICS which would be faster but in a pinch it would be good to be able to bridge two NIC interfaces to have them on the same network without the need for an external switch.

    Thanks again.


  • Netgate Administrator

    I agree it's sometimes more convenient to bridge interfaces.

    Depending on your NIC type you may also need this patch: https://forum.pfsense.org/index.php/topic,66908.msg367991.html#msg367991

    Steve


Log in to reply