• Hi All,

    I have a unique setup at a DC that I am having a heck of a time getting to work as it was in the lab.

    My Setup :
    2 pfsense boxes with 4 NICS
    2 drops in an etherchannel from ISP at DC
    2 2950 switches trunked behind pfsense on LAN

    WAN goes to each DC Drop.
    Lan is a LAGG of 2 nics, each running to port 2 on 2950s for pfsense1 and port 3 on 2950s for pfsense2.
    Nic #4 runs interconnect between pfsense systems for ssh management.
    2950s are trunked on port 1

    Pfsense is running in Transparent Bridge mode with WAN/LAN Bridged.

    Wan has a Public static IP and LAN a IP for local subnet ( and

    I have rstp turned on for both bridges with default settings and stp turned on for both the lan and wan interface.

    On my 2950s I have set 1 switch as the root primary and the other as root secondary and set port 3 to priority 240 on both switches.

    My goal is to have the stp blocking port occur on the 2950s port 3 LAN side (pri 240) so I can still access my second pfsense box via the WAN static IP for out of band management in the event of fat finger  bad configuration on pfsense1.

    So far I am not having much luck getting the stp configured as I once had in my lab with the PFsense boxes which leads me to wonder if the BPDUs are being forwarded upstream to the ISP from my 2950s.

    This is my primary question for this post, does pfsense forward BPDUs when operating in transparent bridge mode with or without STP enabled?

    If someone sees any glaring problems with the setup I am all ears.


  • I can now confirm that with pfsense 2.1 BPDUs are exchanged properly when rstp is enabled on a bridge with the root bridge upstream.

    I ended up setting my 2950 switches to rstp defaults except for a cost of 37 on port 3 to put the pfsense2 box Lagg0 Lan interface into blocking mode.

    All is well!