Dual Failover Pfsense with bridged WAN?



  • I am going to try and break question into a few different blocks order to make it a little easier to organize.

    I have two pfsense firewalls with 4 x 1g ports each and 2 x Layer2 LB4 switches and the plan is to have a one network drop from my colo into each firewall (total of two drops), then have a connection from each of those into each one of my switches in order to use carp for failover purpose. The switches would be in a active/backup mode. My switches then would be cross linked together with a single 10gb connection (they dont stack).

    Now with my current ip allocation with from my colo, they cannot peer with me and I have no interested in doing 1:1 NAT. I was told that I might be able to put the pfsense device into a layer 2 mode and simply do what they called a transparent firewall between the wan and lan ports. This appears to be called a bridge within the pfsense docs and would allow me to use my public ip's within the network behind my pfsense devices. I do know that i would then probably have to run a firewall on each server, but thats not an issue.

    With the above said though, I had originally planned to bond 4 nics on each of my hosts using *nix bond-mode 6 (autobalance) with 2 nics being connected to each switch and then setup 3 tagged vlans (lan, cluster, storage). With doing a transparent firewall on the switches, would it still be possible for me to do the vlan's like I planned? I was thinking of adding an 4th vlan which would be vlan1 and the default vlan for anything thats not tagged, thus would then be the wan traffic. I think this is possible on my switches, but as many of you know, the LB4 docs are pretty lacking.

    Would this even work? I am really hoping this can work as I have really been struggling with the network design of this setup and I want as much performance and high availability as possible, but I am limited by my knowledge, equipment, and what my colo provider will allow.



  • OK, so in my test setup at home, I have to use my 192.168.1.127 for its WAN IP (instead of the public 67.x IP's that I will have at my colo when it goes into production) and I have bridged the WAN/LAN interfaces. Gateway of 192.168.1.1 is setup on the WAN interface. Now this should allow me to use 192.168.1.0 ip's within my the network behind the pfsense device. Correct?

    Now, with that bridge setup, how do I give the 192.168.0.0 subnet/vlan access to the internet?