Vlan and routing
-
so your switch is layer 2 or 3? And pfsense is the gateway for all 3 vlans then? There is a HUGE freaking difference!!!
-
Switch is the Layer 3, the gateways on the vlans is my layer 3 switch.
-
then why configure the vlans on pfsense at all?
-
I see, so I dont need to configure any vlans on the pfsense box?
On the switch side I have tagged the vlan traffic going to the pfsense box, is that correct?
-
Not necessary for a transit network but you certainly can. If I'm talking to a managed switch I usually tag it even if it's only one VLAN. That way you can add another if you need to without either taking it down or mixing tagged and untagged traffic.
-
Okay, should I remove the vlans config from the pfsense box?
-
Okay, should I remove the vlans config from the pfsense box?
General principles:
a) You can use a "layer 3 switch" as a "router" - the words "layer 3" and "switch" put together only make sense when translated to "router" :) - in that case each subnet on the "layer 3 switch" is in a separate VLAN and the "layer 3 switch" has an IP address in each subnet/VLAN which is the gateway for that subnet/VLAN. Then the "layer 3 switch" routes upstream to somewhere - in this case pfSense.b) You can have a "layer 3 switch" and just use it for layer 2, ignore its routing capability. In that case it becomes like a "smart switch"/"VLAN switch" - you make multiple VLANs on it and then trunk all those VLANs straight up to the upstream device (pfSense) and put a VLAN trunk port on the upstream device and have the upstream device do all the routing.
If there is a lot of internal traffic between the subnets/VLANs then (a) is generally better for performance. Otherwise it is somewhat a matter of choice about where to do the routing.
Sounds like you are doing (a). So remove all the individual VLANs from pfSense and do like @johnpoz has described.
If you like, you can have a single tagged VLAN between "layer 3 switch" and pfSense - like @Derelict does - or you can leave it as ordinary untagged.
As you can see, there is more than 1 way to skin a cat, and sometimes it is just a matter of preference.
-
As phil pointed out where you do the routing can come down to a matter of choice, if you want to firewall between your segments for example then pfsense might be better then your l3 switch. Keep in mind that if all you have is 1 interface and your going to put all your segments on that via vlans then traffic in and out of that interface is shared by all segments.
You will be hairpinning traffic when vlan 10 wants to talk to vlan 20 all traffic goes in pfsense interface and then back out same interface again to go to vlan 20, etc..
Which is why if lots of traffic between vlan doing it at the switch is can be better for performance. If firewall between your segments is what your after then you might want to look to getting some more interfaces for pfsense other just all your in out traffic using 1 interface.. Unless that is a 10ge connection your prob going to run into performance issues.
-
Okay, so I have done a factory restore on the box and given it an IP of 10.52.100.123 (VLAN100), connects to the internet etc fine, port the pfsense box is connected too is untagged for VLAN100, the other traffic for VLAN10 and 16 is tagged on the same port.
If I give my laptop a IP within the VLAN100 range I can get internet access fine, if I then plug myself into a vlan16 or 10 port im unable to get any internet access nore ping the pfsense box.
I have the following route setup on the pfsense box, see picture.
My ip route on the layer 3 is as follows:
ip route 0.0.0.0 0.0.0.0 10.52.100.123
I can ping 10.52.100.123 from the core CLI.
-
You are telling pfSense to route traffic for your LANs out WAN. Probably not what you want.
IF YOU ARE USING THE LAYER 3 CAPABILITIES OF THE SWITCH YOU ONLY NEED THE UNTAGGED INTERFACE ON PFSENSE!
You need the default route on the switch, which you have. You also need to create a gateway on pfSense for the switch and create routes for the networks pfSense doesn't know about with a destination of that gateway, not WAN.
Then you need to make sure the firewall rules on your pfSense LAN interface will pass the traffic FROM the "foreign" networks (the networks behind the L3 switch.)
I think automatic outbound NAT is now smart enough to create the NAT rules and everything. if not, they need to be in place for all your LAN sources on WAN.
-
Hi - just to update you, I have now managed to get this all working :)
Thanks for all your help.
