Transparent Firewall with 2 redundant Hosts
Hello PFSense people.
I'm implementing the scenario below:
1 Layer 3 switch that performs OSPF connectivity with my ISP.
1 Switch core that users the layer 3 switch as default gateway. The switch core connects all distribution switches from my internal network.
1 Transparent PFSense firewall between them.
I use transparent firewall with bridge because my network contains only valid IP addresses, and I don't think is necessary to route traffic twice. My layer 3 switch on the border is a robust equipment and I want to eliminate OSPF from the firewall.
I want to implement a secondary firewall host, to make them redundants in the case of a failure. In the future, I will also duplicate the L3 switches with a stack module, since I have only one connection with the ISP (for now).
How should I implement this 2 transparent firewalls and make them redundant with no human intervention? I have seen a lot of alerts on using CARP with this scenario, but something has to be configured, or it will create a loop on the network. Is Spanning Tree the best solution to implement redundancy? How about the State Table of traffic?
It is possible to implement what I'm wanting to do?