• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Layer 2 or Layer 3

Scheduled Pinned Locked Moved L2/Switching/VLANs
6 Posts 3 Posters 775 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nomis.home43
    last edited by May 26, 2022, 6:56 PM

    I have been watching a few videos on line in relation to set up, I assume (let me know if I'm wrong) if I have a layer 2 stitch with 4 VLANs and a PFsense with 2 ports the simplified setup would be:

    Port going to LAN on PFSense Trunk?
    Port for VLAN 2 going to say Laptop Tagged with VLAN 2 ID
    DHCP would come from PFSense and that would also set the DNS and the Layer 3 Gateway for that VLAN and in simple terms the PFSense does all the inter VLAN routing. Correct ??

    Ok now lets use a Layer 3 switch instead of the Layer 2, if its configured each VLAN has and SVI interface IP and that is used for the VLAN gateway, now throw the PFSense in and its doing DHCP and DNS, do I set the VLAN gateway to the Switch VLAN SVI and set a final route on the switch to the LAN interface of the PFSense or do I set the gateway to the VLAN IP address set on the PFSense for for the relevant VLAN or finally do I just let PFSense DHCP deal with it.

    Thanks

    J 1 Reply Last reply May 26, 2022, 7:01 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @nomis.home43
      last edited by johnpoz May 26, 2022, 7:02 PM May 26, 2022, 7:01 PM

      @nomis-home43 said in Layer 2 or Layer 3:

      now throw the PFSense in and its doing DHCP

      Stop you right there, pfsense currently has no way to do dhcp for networks its not directly attached to..

      If your going to use a downstream router or L3 switch doing routing - pfsense can not do dhcp for those networks.

      Also keep in mind if you do a downstream router, pfsense has no control over traffic between those vlans. Unless you have a specific need for say wire speed between vlans the more straight forward solution is to just use L2 vlans and let pfsense handle the routing and firewalling between the vlans.. It can also do dhcp then.

      When you use a downstream router (L3 switch doing routing) you would also connect that router to pfsense with a transit network, ie there should be no other hosts on this network between pfsense and the downstream router.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • N
        nomis.home43
        last edited by nomis.home43 May 26, 2022, 8:27 PM May 26, 2022, 8:26 PM

        @johnpoz Thanks for replying, (just an FYI I don't have access to the devices at the mo) I'm a little more confused now, the Layer 3 setup I have managed to achieve already, I have a layer 3 switch, each VLAN has an IP and the Switch Final route is set to the IP of the PFSense LAN.

        Let me add a little more meat to the setup, I may not have explained to well the 1st time
        The Switch is configured with (0.1 is the SVI IP for each VALN)
        VLAN 16 - LAN - em0 192.168.16.0/24
        VLAN 10 - Systems - em0.10 192.168.10.0/24
        VLAN 20 - IoT - em0.20 192.168.20.0/24

        The interface at the switch has
        untagged vlan 16
        Tagged vlan 10, 20

        Port 1/1 is untagged vlan 10
        Port 1/2 is untagged vlan 20

        DHCP is configured on each vlan from PFSense and works is a device is plugged in to port 1/1 or 1/2, DHCP has been configured with DNS (google) and the IP of the VLAN interface on the switch.

        I'm convinced I have it setup wrong, at the moment i think the routing is done on the layer 3 switch anything not for internal traffic (Vlans 10, 16 or 20) is sent to the PFSense , I believe that this is why I have to add a rule below to the LAN network to get internet access either vlans 10 or 20 respectively.

        Action | Protocol | Source | Port | Dest | Port
        Allow | IPv4 | 192.168.10.0/24 | any | any | any

        So it may be working but I'm not convinced it's right, hope that explains it better.

        J 1 Reply Last reply May 26, 2022, 8:55 PM Reply Quote 0
        • J
          Jarhead @nomis.home43
          last edited by May 26, 2022, 8:55 PM

          @nomis-home43 Why use the switch for routing?
          Get rid of the SVI's, assign untagged vlans on any ports as required.
          Then use a trunk port from the switch to the pfSense LAN port.
          Tag the switch trunk with any vlans you need, then add the same vlans to the pfSense port.
          Assign those vlans as ports and you can use dhcp from pfSense on all of them.

          N 1 Reply Last reply May 26, 2022, 9:25 PM Reply Quote 0
          • N
            nomis.home43 @Jarhead
            last edited by May 26, 2022, 9:25 PM

            @jarhead, Thanks, The switch was already in place the PFSense is the new requirement after the last ISP Firewall/Router bit the dust.

            Sorry little out of my depth, i'm sort of following so just to confirm at you saying convert the switch to layer 2 and setup the required VLANs or leave it as layer 3 and just remove the SVI's from configured VLANs ( I assume that means removing the Interface VLANs as well), also if I'm going this route (no pun intended) do I keep the final route setting.

            Thanks Simon

            J 1 Reply Last reply May 26, 2022, 10:08 PM Reply Quote 0
            • J
              Jarhead @nomis.home43
              last edited by May 26, 2022, 10:08 PM

              @nomis-home43 You can leave it as layer3.
              Config one port on the switch as a trunk. Tag all 3 vlans on that port.
              Untag the vlans on any switchports you need for the networks, I think you said you only need 1 port per network so just do that.
              In pfSense, go to interfaces/vlans. Add the 3 vlans to the LAN port, This is the equivalent of making that port a trunk, so remove any config you have on it.
              Then go to Interfaces/assignments. On the bottom there's "available network ports". In the drop down, all 3 vlans will be there. Assign each vlan, one at a time, and they will be assigned an OPTx name. Click each OPTx, enable it, rename it, assign ip's as needed. Go to Services/DHCP server. You will see all 3 vlans at the top, click one, enable dhcp server and set range. Repeat for the other two.
              Then set firewall rules on the new ports.
              Should be good from there.

              1 Reply Last reply Reply Quote 1
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received