InterVlan Routing, Layer 3 switch & Pfsense

mikeisfly

Just as a technical perspective to anyone reading this, whenever you have a router (Layer 3 Switch) in your case and the router has all the interfaces that you want to route between, then a routing protocol is not needed. You would use RIP in a situation where you had several networks connected with several routers and you didn't want to configure static route on all the switches when you create a new LAN on one of the routers. When you are setting up a network with multiple VLANs and you want to route between the VLANs there is basically two ways of doing it. Get a Layer 3 switch like the one you did and turn IP routing on. Or you can do a router on a stick. Here is where it gets a little tricky. You would create all the VLANs on your switch and assign them to the ports of your own choice. You would then create the VLAN interfaces on your router. There is a difference between a VLAN and a VLAN Interface. Make sure the port on your HP that is connected to the PfSense box is a Tagged Port containing all the VLANs that you want Pfsense to route between. Then you create the same VLANs on your router (Pfsense Box) and then create the interface(s). That's it the router will route between the different interfaces unless you make a rule that denies one LAN from communicating to another. If it were me I would do a router on the stick method instead of letting your switch do it for you, although I'm sure you could create access list to deny traffic from one network to another, but Pfsense is so nice I would let it do all the work for you. In terms of through put not sure which one will be better, I guess it depends on your hardware and how many VLANs you have.
I know this question was already answered but I saw that there was an opportunity to educate a little bit. One last think that I will say is that if anyone out there is using older Cisco gear tagged ports in the Cisco world are called Trunk ports and Pfsense uses the industry standard 802.1q trunking protocol. Older Cisco switches default there trunk ports to ISL protocol which won't work with Pfsense. Just change your encapsulation type to dot1q and you are good to go.

Hope this helps someone out there.

dimarzio

I agree with you mikeisfly that vlans are easier to manage with pfsense and layer2 manage switch deployed as router-on-a-stick. I have tried it already with more than 200 computers in 22 vlans. it's been 2 years already and until now the network is doing well.

Now, I am facing another scenario. I am working in a bigger network. there currently 900+ computers and the core switch is 6509 which is layer 3 already. I am afraid that the network will slow down if i will do router-on-a-stick with pfsense because of too much intervlan traffic.

my plan is to make pfsense an internet firewall by using squidguard and rate limiter so that i can limit the internet speed per vlan.

the following will be the proposed setup:

1. create the same vlans in pfsense based on the existing vlans in 6509
2. configure a trunk port in 6509 and connect it to pfsense lan port
3. enable ip routing in 6509 so that intervlan traffic will not be forwarded to pfsense. it will be handled by the 6509
4. use the pfsense to manage internet traffic in all vlans

is this setup possible?
I cannot test it in a live network and there is no spare layer3 switch here for test environment.

thank you for sharing your ideas.

thermo

dimarzio: That's how I initially configured it, and had problems with data going out of one interface and coming into another. The solution as cmb stated earlier is to delete the vlans from pfsense which are on your L3 switch, and create a new vlan (on both the switch & pfsense), add your default route on the switch to use this vlan & pfsense IP, just to handle all the traffic out from the other vlans to the internet, in addition to a route on pfsense to find the vlans behind the switch.

Hope that made sense.

I was luckier as I had a L3 switch to play with before live installation.

dimarzio

Thanks thermo!

In your initial setup where you trunked the L3 and pfsense, did you try allowing only necessary ports in each vlan in pfsense? like 80 and 443 only so that other ports  will not be forwarded through pfsense vlans? considering that dhcp and dns servers are in one of the vlans in L3 switch.

How i wish i have a layer 3 switch to play with.

thermo

I haven't done much filtering yet, when I tested it, I just setup an allow Subnet/24 to any.
For DHCP and DNS, I just moved this to a separate machine with a vlan interface for each network required, so these services are "switched/bridged" on their network rather than being routed through the switch/pfsense.

mikeisfly

I would treat the L3 switch like a router and create a router port on your switch and create  a /30 network between your 6509 and the Pfsense box. setup RIP version 2 on your switch and then would set create a static route (default route) sending all unknown network destinations to the Pfsense box. This can be with the following commands:

router rip
version 2
network x.x.x.x (type in the network that you want rip to run on for example 10.0.0.0, will turn rip on all your interface starting with 10.)

ip route 0.0.0.0 0.0.0.0 "ip address of your Pfsense box".

Then you can setup QoS based on subnets. I have no experience using Pfsense in this way but I have seen some post around explaining it. There is even a youtube video explanning how to setup traffic shaping."

If you don't like RIP you can use OSPF but rip uses less resources on both your routers (I'm calling your L3 switch a router). Hope this helps I think this is a simpler setup that will accomplish what you want to do. By the way I would let the Pfsense box do your Natting too.

crisnil

Hi,
I have similar network with 4 vlans in a layer3 switch, Pfsense on a trunk port and the default gateway

route 0.0.0.0 0.0.0.0 pfsenseIP.

Id like to ask how do you relay dhcp on other vlans? my dhcp server (windows server) in on vlan2, some clients autoobtain ip automaticaly are on vlan3, vlan4, vlan5.?

mikeisfly

crisnil,

If you have a Cisco Switch then you want to use the ip helper command and point it to your Windows server. You can also set up multiple scopes on your Windows server. Another way to do it is to set up a dot1q trunk to your windows server (I believe it is VLAN aware you will have to go into your NIC properties to set it up) then just set up the scopes that you want. You could let Pfsense do the DHCP duties for you as well.

thermo

@crisnil:

Hi,
I have similar network with 4 vlans in a layer3 switch, Pfsense on a trunk port and the default gateway

route 0.0.0.0 0.0.0.0 pfsenseIP.

Id like to ask how do you relay dhcp on other vlans? my dhcp server (windows server) in on vlan2, some clients autoobtain ip automaticaly are on vlan3, vlan4, vlan5.?

I suppose the easy way would be to add a vlan adapter on your windows server for vlans 3,4,5. You will probably need the  manufqcturers software to configure vlans on the nic. Better would be to do this on another machine physical or virtual then you dont have to worry about windows services exposed on the other vlans.

cmb

@crisnil:

Id like to ask how do you relay dhcp on other vlans? my dhcp server (windows server) in on vlan2, some clients autoobtain ip automaticaly are on vlan3, vlan4, vlan5.?

Services>DHCP Relay. Enable as needed.