How to have SVI's in a L3 switch route to the internet through a Pfsense router?

Bravo 0

Ive seen this question everywhere and never seems as if there was an answer.

This is for a personal home environment, and I want the SVI routing in a L3 switch rather then VLANS being handled in a router even though that would be the simplest method.

Currently everything is set up where the WAN interface is connected to the internet, the LAN interface is connected to my home network where its just running a basic network.

The Opt1 interface on the router is the test environment before doing my actual environment.

So we have

opt 1 - 172.16.2.1/30 connected to a L3 Cisco SW SG300-10 switch in L3 mode interface Gi 10 172.16.2.2/30

In the switch for simplicity I have configured the SVI 60 172.16.15.1/26 and enabled DHCP. I have a seperate computer connected to Inter gi 1 with

interface gigabitethernet1
switchport mode access
switchport access vlan 60
The PC successfully got its IP.

here is the issue. From that device I cant ping to 172.16.15.1 or 172.16.15.2 and obviously the internet and I can ping the SVI's gateway.

From the switch while consoled in I ping everything including the internet so I know the firewall if fine. Just not form the SVI's

I even followed this guide to add some static routes leading back to the SVI. Which was the only different thing compared to what I tried already.

Can anyone please point me to an article that has had success in this or point out the obvious thing I am missing such as the wrong [blank] or you just cant do what I am asking.

Here is the config

Home-LabSW#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static

S 0.0.0.0/0 [1/1] via 172.16.2.1, 00:16:48, gi10
C 172.16.2.0/30 is directly connected, gi10
C 172.16.15.0/26 is directly connected, vlan 60

Home-LabSW#show running-config
config-file-header
Home-LabSW
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode router

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 60-67
exit
ip dhcp server
ip dhcp excluded-address 172.16.15.1 172.16.15.10
ip dhcp pool network VLAN60-DHCP
address low 172.16.15.1 high 172.16.15.62 255.255.255.192
default-router 172.16.15.1
dns-server 1.1.1.1
exit
ip dhcp pool network VLAN61-DHCP
address low 172.16.15.65 high 172.16.15.126 255.255.255.192
default-router 172.16.15.65
exit
ip dhcp pool network VLAN66-DHCP
address low 172.16.15.129 high 172.16.15.190 255.255.255.192
default-router 172.16.15.129
exit
ip dhcp pool network VLAN67-DHCP
address low 172.16.15.193 high 172.16.15.254 255.255.255.192
default-router 172.16.15.193
exit
bonjour interface range vlan 1
ip access-list extended SSH-Log
exit
hostname Home-LabSW
ip ssh server
clock source sntp
!
interface vlan 1
no ip address dhcp
shutdown
!
interface vlan 60
name "Home-Lab Network"
ip address 172.16.15.1 255.255.255.192
!
interface vlan 61
name "Home-Lab Reserve"
ip address 172.16.15.65 255.255.255.192
!
interface vlan 66
name "GNS3 Network"
ip address 172.16.15.129 255.255.255.192
!
interface vlan 67
name "Reserverd Network"
ip address 172.16.15.193 255.255.255.192
!
interface gigabitethernet1
switchport mode access
switchport access vlan 60
!
interface gigabitethernet10
description "Interface to Router"
ip address 172.16.2.2 255.255.255.252
!
exit
ip default-gateway 172.16.2.1

bingo600

@Bravo-0
On a "Full Cisco" ... ie. 3560 series , you have to enable L3 routing, and make a "default route"

ip routing
ip route 0.0.0.0 0.0.0.0  172.16.2.1

I have no idea if it's the same on a "home switch"
That would enable L3 routing, and set the def-gw (L3 wise)

You would also have to make a static route on the pfSense , that routes the 172.x.x.x nets to the /30 IF o the switch : 172.16.2.2

Internet
Since pfSense doesn't know about the 172.x.x.x nets behind the switch, it hasn't made any WAN NAT entries for those , you'd have to do them manually (i'd suggest hybrid nat)

Also watch out for Unbound DNS resolving , you have to make an ACL , allowing the 172.x.x.x nets to make DNS lookup if using the pfsense for DNS.

Edit: Remember to make the appropriate "inbound allow rules" on the pfSense - switch connect IF (opt1)

/Bingo

Bravo 0

@bingo600
On a cisco SG300 from the CLI I can enable L3

set system mode router

source

lets just focus on one SVI but in summery this is what it looks like (Pasted a simple diagram at the end.

Aside from dealing with the with the pfsense rules for now, at the very minimum I should be able to ping the interface 172.16.2.2/30 which is interface 10 that connects to the pfsense router.

Pfsnese should know of my SVI's after some configuration that I did.
I did a packet capture in the pfsense dashboard from the switch I pinged 1.1.1.1 and it went through

1.1.1.1 > 172.16.2.2
IP 172.16.15.70 > 172.16.2.1

and I captured it from the WAN as well and it did NAT properly.

So the switch is sending ICMP's from 172.16.15.0/26 Network and succeeding.
but my device connected to port 1 VLAN 60 (SVI 172.16.15.1/26) same as where the switch pings from cannot do the same even as little as reaching an interface 172.16.2.2/30 (gi 10)

Now I thought this might have been an issue with internal routing, but it can actually reach all other SVI's.

So I'm just scratching my head. I did use a Cisco

+---------------------------------------------------+
|                pfSense Router                      |
|                                                   |
| WAN Interface:                                   |
| -DHCP    |
|                                                   |
| Opt1 Interface (Connected to Internal Switch):    |
| - IP: 172.16.2.1/30                             |
| - Network: 172.16.2.0/30                        |
|                                                   |
+---------------------------------------------------+
                       |
                       |
                       |
+---------------------------------------------------+
|             Internal Layer 3 Switch                |
|                                                   |
| VLAN 60 (HomeLab-Net):                            |
| - SVI IP: 172.16.15.1/26 (Gateway for devices)   |
| - Network: 172.16.15.0/26                        |
|                                                   |
| Interface to pfSense:                            |
| - IP: 172.16.2.2/30                              |
| - Network: 172.16.2.0/30                        |
|                                                   |
+---------------------------------------------------+

Bravo 0

@bingo600

Just got more information from the firewall and interface monitoring dosn't pick up any incoming traffic form each device an a SVI. So it's not even hitting the device.
Also the interface gi10 does have the no switchport command

I tried factory preserving and trying from scratch and I have another switch of the same model and same issue.

bingo600

@Bravo-0 said in How to have SVI's in a L3 switch route to the internet through a Pfsense router?:

Just got more information from the firewall and interface monitoring dosn't pick up any incoming traffic form each device an a SVI. So it's not even hitting the device.

I'm not sure how to interpret this ...
Didn't you say you had some succesfull pings ??

Also the interface gi10 does have the no switchport command

So it should operate as a L3 IF , not a switchport ??
I'm not experienced w. the 300 series ....

If it's a "pure L3" IF , try to connect a PC to gi10 , and give it the pfSense ip.
Then test if you can ping the switch:
If yes (switch l3 config) ought to be ok , (challenge is on pfSense).
If no ... (challenge is on switch)

/Bingo