Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failover Bridged Setup using STP

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      roosterdude
      last edited by

      Hi All,

      We run some pfSense installations using the more normal CARP/VIP failover active/passive setup which are working nicely. 
      However we now have a requirement for a failover firewall pair that will be in a bridged configuration.  I've been searching the boards
      and FAQs etc for a couple of days and see that an STP setup is probably possible, however I couldn't find any info
      on whether the firewall rules and state table could still be synchronized as with the CARP config.
      I'll try attaching a network diagram of what we're hoping to achieve without buying some incredibly expensive hardware based solution.
      I'd like to know if anyone is running a similar setup to the one i'm considering or if anyone can see any potential issues with my
      proposed solution.
      Also… we run MSTP internally on the switches and it seems that RSTP is what is in pfSense.. is this correct?
      Thankyou in advance.
      :-)

      Redundant-Bridging-Firewall.png
      Redundant-Bridging-Firewall.png_thumb

      1 Reply Last reply Reply Quote 0
      • R
        roosterdude
        last edited by

        I guess either no-one has tried this or is sure that the config would work ?? :-(

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          CARP is incompatible with bridging.  It is allegedly possible to work around this using STP, although this has not been tested by anyone and it would be a hack if it works.

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            AFAIK if the SYNC interface is not in the bridged interfaces and has an ip address than it should work!
            but as submicron said it is not tested by anyone.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              No, they won't work that way.  If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                No, they won't work that way.  If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.

                Actually i said the opposite :):
                If you have a bridge running and a spare interface not part of the bridge with an ip address and run carp intop of it then syncing shouldn't be a problem(theoritically).

                1 Reply Last reply Reply Quote 0
                • R
                  roosterdude
                  last edited by

                  Thanks for replying everyone.

                  I'll try it out and report back with my findings as this really would be the holy grail for HA firewalls for us. :-)

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    @ermal:

                    No, they won't work that way.  If you have bridged interfaces, you can't also have CARP IPs on the interfaces as well.

                    Actually i said the opposite :):
                    If you have a bridge running and a spare interface not part of the bridge with an ip address and run carp intop of it then syncing shouldn't be a problem(theoritically).

                    I know you said the opposite, but I'm reporting from my findings of actually having tried to do it.  It doesn't work.  At least it didn't use to.  I know you have specifically worked on a lot of this code Ermal, so you may understand it better than I do, but when I tried doing this before, the CARP IP addresses wouldn't come up on the bridge.

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      Oh, sorry yeah since carp(4) wan't recive notifications of link layer changes from bridge(4) and will not come up as an interface.
                      There is a PR open on FreeBSD for this and will be fixed soon, i think. You will need to force it to manually come up for it to work, i think i tested this curiously in my tests while working on code and must forced it manually to work.

                      Sorry for the noise submicron you are right it is not supported and will not work by default.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        No worries Ermal.  I'm glad you looked at it, and maybe if things get changed with FreeBSD, this can be made possible in the future.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.