I'm installing a transparent firewall with PFsense. The firewall will be located between two routers with trunking. I have used OPT1 and OPT2 interfaces so I don't want any IP assigned to transparent interfaces.

This is my topology:

Router1(external)–--[Opt1---(Vlan0--firewall bridge--Vlan1)---Opt2)----Router2(internal)

The firewall is working almost perfectly. Only fails with file transfers with SFTP an mail attachments. I think that could be a problem with MSS (Maximum Segment Size). The solution in Linux is to put this rule:

iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1456

I think that in BSD the rule is something like:

scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
scrub in on fxp0 all no-df
scrub    on fxp0 all reassemble tcp

But I don't know how to put this rule in order to execute it at init an to keep it when the firewall rules change.

Anybody knows how to do it?

Quimi