Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridge+stp problem

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      juraj_bond
      last edited by

      Hello everybody,

      I would be eternally grateful if someone would be able to shed some light on this.
      I have two pfsense boxes running set up as transparent bridges with STP enabled. Those boxes have only two NICs each, and precisely here lies the heart of the problem, interfaces are bge0 (WAN) and bge1 (LAN), bridged together, obviously.
      I am doing the "implicit" failover via STP. I am able to prioritize the two bridges, e.g. I am able to convince them that the "left" box should be always be the root bridge, wherever available. But now the question is, which channel to use for pfsync. I seem to have three options: LAN, WAN, or some other vlan-based interface that I create.
      Apparently, I have no control over the selection of the interface to be blocked on non-root bridge when the STP kicks in, moreover, I have no control over on which interface the master bridge will be able to "see" its counterpart to synchronize FW to. The firewalls bridge MAC table invariably shows the counterpart across the blocked interfaces. Manually adding routes in between the bridges worked (sort of), but it's hardly a systematic solution, since I am not able to have a particular interface blocked anyway, juggling with ifconfig bridge0 ifpriority <interface>and ifconfig bridge0 ifpathcost <interface>didn't work. This, of course, happens also if I use vlan-tagged interface as well, since if bge0 is in blocking state, all the vlan interfaces having bge0 as parent are blocked too.
      All the other features work great, traffic through the bridge flows without a hitch, it's just this one tiny thing left.
      I know, that buying third network card would solve all the problems immediately, but I was really hoping a setup like this may work.

      S.O.S. …. thanks in advance for any help/constructive remarks!

      Juraj</interface></interface>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.