Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Installing pfSense with a layer 3 switch

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    69 Posts 6 Posters 27.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I wouldn't use a layer 3 switch for that. Or at least for the segments you really want to lock down like the guest network.

      This is basic IP routing, bro. Only you can decide how you want your network topology laid out. You can have some networks on the layer 3 switch, relying on whatever its packet filtering capabilities are and some networks on pfSense using its full stateful firewall capabilities. You can have some VLANs with SVIs on the switch and some without SVIs for which pfSense provides all the Layer 3 services. It's really up to you.

      But you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.

      Well I have tried /30 mask.  pfsense does not seem to talk to the switch.  I can not ping either way.

      Then you did it wrong, plain and simple. Post details of what you have actually done, not what you think you've done because it's not what you think you've done or it would be working.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.

        Exactly!!!! Very cleanly stated…

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I've been meaning to do this one for a while:

          pfSense-Layer-3-Switch.png
          pfSense-Layer-3-Switch.png_thumb

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C
            coxhaus
            last edited by

            I use pfsense for a fast router firewall NAT device.  I like the idea of snort.

            I want to keep all my VLAN networks on the switch.  When I create VLANs I always assign an IP network to each VLAN.  ACLs provide enough control for me and my network.  I  have 3 Cisco WAP321 which dumps users into a guess network or a LAN network.  This works great for me. I am able to feed multiple VLANs to one router VLAN on the layer3 switch to feed the router. The SG300-28 has a 17 GIG backplane so it can run faster than any internet connection I would have.  I only have a 300megabit connection.  I just want the fastest firewall I can run on the front door to the internet.  pfSense is on the table now.

            I am not saying pfsense has a problem with a /30 mask. It could be the SG300-28 switch.  It is why I asked johpoz whether he had tried it as he owns an Cisco SG300 switch also.  I have posted a question on the Cisco small business web site to ask if there is an issue.

            I took a working pfsense router 192.168.10.1/24 mask plugged into a router VLAN on the SG200-28 switch defined with a /24 mask. It was working and is my current config I am using.  I changed the VLAN IP to 192.168.10.2/30 on the switch and I changed the default route to 192.168.10.2/30 also. I then ran 2 on the console for pfsense to change the LAN IP to 192.168.10.1/30.  I could not ping from the switch using ping on the switch to pfsense.  I could not ping from pfsense to the switch.  The switch port used is an access port defined to the router VLAN. It is the same port used for the /24 mask which works.  This sounds basic so I was looking for confirmation from john since he recommended using a /30 mask on this thread.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Neither the Cisco SG nor pfSense has any problems with a /30 netmask. Guaran-effing-teed. You did something wrong.

              And it doesn't matter one bit what netmask you use. All that matters is that there are no hosts on the transit network that you expect to route properly unless you maintain a proper routing table on that host.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                coxhaus
                last edited by

                The net mask does make a difference.  It works with a /24 mask and does not work with /30 mask.  I do not run any clients in my router VLAN.  The idea of the router VLAN is to isolate from the broadcast domain, default VLAN, Windows chatter, etc. I do not want the router waiting for any local traffic not destined for the internet.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Dude. You did something wrong. No way the Cisco or pfSense has a problem with /30. If it was /31 maybe. /30 no way. Look at your config again.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    coxhaus
                    last edited by

                    When I have another free evening.  I spent about 5 hours going over everything.  I even reinstalled pfsense.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Chasing ghosts. And that was after changing the netmask on both ends from /29 to /30 - no reboots just change and apply.

                      ![Screen Shot 2016-01-31 at 4.25.48 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.48 PM.png)
                      ![Screen Shot 2016-01-31 at 4.25.48 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.48 PM.png_thumb)
                      ![Screen Shot 2016-01-31 at 4.25.38 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.38 PM.png)
                      ![Screen Shot 2016-01-31 at 4.25.38 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.38 PM.png_thumb)
                      ![Screen Shot 2016-01-31 at 4.27.39 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.27.39 PM.png)
                      ![Screen Shot 2016-01-31 at 4.27.39 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.27.39 PM.png_thumb)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • C
                        coxhaus
                        last edited by

                        You need to be changing the LAN side em1 not em0.  This means all your local networks are routed on the LAN side. And you need static routes for all local traffic. I guess it could be an alias.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          em0 is my LAN side. Neither device has a problem with /30, regardless.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • C
                            coxhaus
                            last edited by

                            Sounds good.  I don't know why they will not link up with /30 mask for me.  It works with a /24 mask so there is not a rush.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.

                              The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • C
                                coxhaus
                                last edited by

                                @johnpoz:

                                You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.

                                The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..

                                The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

                                The question about the /30 mask can be answered by you since you have one of these SG300 switches.  Just set it up.  Please post the config on the SG300 and I will compare it to mine.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Pertinent parts.

                                  vlan database
                                  vlan 1000,2000

                                  ip dhcp server
                                  ip dhcp pool network TEST_LAYER3
                                  address low 172.28.1.65 high 172.28.1.254 255.255.255.0
                                  default-router 172.28.1.1
                                  dns-server 192.168.223.1
                                  exit

                                  interface vlan 1000
                                  name TRANSIT
                                  ip address 192.168.230.2 255.255.255.252
                                  !

                                  interface vlan 2000
                                  name TEST_LAYER3
                                  ip address 172.28.1.1 255.255.255.0
                                  !

                                  interface gigabitethernet46
                                  description ROUTER_LAN
                                  switchport mode general
                                  switchport general allowed vlan add 1000 tagged
                                  switchport general acceptable-frame-type tagged-only
                                  !

                                  Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

                                  Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    @coxhaus:

                                    The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

                                    That's what management VLANs are for.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      coxhaus
                                      last edited by

                                      @Derelict:

                                      Pertinent parts.

                                      vlan database
                                      vlan 1000,2000

                                      ip dhcp server
                                      ip dhcp pool network TEST_LAYER3
                                      address low 172.28.1.65 high 172.28.1.254 255.255.255.0
                                      default-router 172.28.1.1
                                      dns-server 192.168.223.1
                                      exit

                                      interface vlan 1000
                                      name TRANSIT
                                      ip address 192.168.230.2 255.255.255.252
                                      !

                                      interface vlan 2000
                                      name TEST_LAYER3
                                      ip address 172.28.1.1 255.255.255.0
                                      !

                                      interface gigabitethernet46
                                      description ROUTER_LAN
                                      switchport mode general
                                      switchport general allowed vlan add 1000 tagged
                                      switchport general acceptable-frame-type tagged-only
                                      !

                                      Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

                                      Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

                                      I think I have found at least one difference my switch port is defined as an access port. The idea was to keep all the routing on the L3 switch.  The port adds the tags as data comes in and strips tags as data flows out.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        If you're only doing one VLAN between pfSense and the switch an access port is fine but you can't define the VLANs on pfSense - it has to just be emX, not vlan X on emX.

                                        When talking to a managed switch I always tag it even if it's only one so you can add a vlan without screwing up what's already working.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • O
                                          oletuv
                                          last edited by

                                          @Derelict:

                                          Pertinent parts.

                                          vlan database
                                          vlan 1000,2000

                                          ip dhcp server
                                          ip dhcp pool network TEST_LAYER3
                                          address low 172.28.1.65 high 172.28.1.254 255.255.255.0
                                          default-router 172.28.1.1
                                          dns-server 192.168.223.1
                                          exit

                                          interface vlan 1000
                                          name TRANSIT
                                          ip address 192.168.230.2 255.255.255.252
                                          !

                                          interface vlan 2000
                                          name TEST_LAYER3
                                          ip address 172.28.1.1 255.255.255.0
                                          !

                                          interface gigabitethernet46
                                          description ROUTER_LAN
                                          switchport mode general
                                          switchport general allowed vlan add 1000 tagged
                                          switchport general acceptable-frame-type tagged-only
                                          !

                                          Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

                                          Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

                                          I´ve followed this discussion with great interest since I have a similar SG300 layer 3 setup as Coxhaus and have just started to look into replacing my Linksys LRT224 router with a pfSense firewall.

                                          When using a transit network for the routing between the switch and the firewall as in your nice example, I guess there must be a separate management interface/IP address used for logging into the pfSense Web GUI?

                                          1 Reply Last reply Reply Quote 0
                                          • O
                                            oletuv
                                            last edited by

                                            @Derelict:

                                            @coxhaus:

                                            The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

                                            That's what management VLANs are for.

                                            I´m totally new to pfSense and am collecting information on how to set it up and administer it. Is the default management VLAN in pfSense VLAN 1 and is the IP address configured for the LAN interface the address of the management VLAN?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.