Installing pfSense with a layer 3 switch
-
I wouldn't use a layer 3 switch for that. Or at least for the segments you really want to lock down like the guest network.
This is basic IP routing, bro. Only you can decide how you want your network topology laid out. You can have some networks on the layer 3 switch, relying on whatever its packet filtering capabilities are and some networks on pfSense using its full stateful firewall capabilities. You can have some VLANs with SVIs on the switch and some without SVIs for which pfSense provides all the Layer 3 services. It's really up to you.
But you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.
Well I have tried /30 mask. pfsense does not seem to talk to the switch. I can not ping either way.
Then you did it wrong, plain and simple. Post details of what you have actually done, not what you think you've done because it's not what you think you've done or it would be working.
-
you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.
Exactly!!!! Very cleanly stated…
-
I've been meaning to do this one for a while:
-
I use pfsense for a fast router firewall NAT device. I like the idea of snort.
I want to keep all my VLAN networks on the switch. When I create VLANs I always assign an IP network to each VLAN. ACLs provide enough control for me and my network. I have 3 Cisco WAP321 which dumps users into a guess network or a LAN network. This works great for me. I am able to feed multiple VLANs to one router VLAN on the layer3 switch to feed the router. The SG300-28 has a 17 GIG backplane so it can run faster than any internet connection I would have. I only have a 300megabit connection. I just want the fastest firewall I can run on the front door to the internet. pfSense is on the table now.
I am not saying pfsense has a problem with a /30 mask. It could be the SG300-28 switch. It is why I asked johpoz whether he had tried it as he owns an Cisco SG300 switch also. I have posted a question on the Cisco small business web site to ask if there is an issue.
I took a working pfsense router 192.168.10.1/24 mask plugged into a router VLAN on the SG200-28 switch defined with a /24 mask. It was working and is my current config I am using. I changed the VLAN IP to 192.168.10.2/30 on the switch and I changed the default route to 192.168.10.2/30 also. I then ran 2 on the console for pfsense to change the LAN IP to 192.168.10.1/30. I could not ping from the switch using ping on the switch to pfsense. I could not ping from pfsense to the switch. The switch port used is an access port defined to the router VLAN. It is the same port used for the /24 mask which works. This sounds basic so I was looking for confirmation from john since he recommended using a /30 mask on this thread.
-
Neither the Cisco SG nor pfSense has any problems with a /30 netmask. Guaran-effing-teed. You did something wrong.
And it doesn't matter one bit what netmask you use. All that matters is that there are no hosts on the transit network that you expect to route properly unless you maintain a proper routing table on that host.
-
The net mask does make a difference. It works with a /24 mask and does not work with /30 mask. I do not run any clients in my router VLAN. The idea of the router VLAN is to isolate from the broadcast domain, default VLAN, Windows chatter, etc. I do not want the router waiting for any local traffic not destined for the internet.
-
Dude. You did something wrong. No way the Cisco or pfSense has a problem with /30. If it was /31 maybe. /30 no way. Look at your config again.
-
When I have another free evening. I spent about 5 hours going over everything. I even reinstalled pfsense.
-
Chasing ghosts. And that was after changing the netmask on both ends from /29 to /30 - no reboots just change and apply.
 -
You need to be changing the LAN side em1 not em0. This means all your local networks are routed on the LAN side. And you need static routes for all local traffic. I guess it could be an alias.
-
em0 is my LAN side. Neither device has a problem with /30, regardless.
-
Sounds good. I don't know why they will not link up with /30 mask for me. It works with a /24 mask so there is not a rush.
-
You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.
The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..
-
You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.
The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
The question about the /30 mask can be answered by you since you have one of these SG300 switches. Just set it up. Please post the config on the SG300 and I will compare it to mine.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
-
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
That's what management VLANs are for.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
I think I have found at least one difference my switch port is defined as an access port. The idea was to keep all the routing on the L3 switch. The port adds the tags as data comes in and strips tags as data flows out.
-
If you're only doing one VLAN between pfSense and the switch an access port is fine but you can't define the VLANs on pfSense - it has to just be emX, not vlan X on emX.
When talking to a managed switch I always tag it even if it's only one so you can add a vlan without screwing up what's already working.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
I´ve followed this discussion with great interest since I have a similar SG300 layer 3 setup as Coxhaus and have just started to look into replacing my Linksys LRT224 router with a pfSense firewall.
When using a transit network for the routing between the switch and the firewall as in your nice example, I guess there must be a separate management interface/IP address used for logging into the pfSense Web GUI?
-
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
That's what management VLANs are for.
I´m totally new to pfSense and am collecting information on how to set it up and administer it. Is the default management VLAN in pfSense VLAN 1 and is the IP address configured for the LAN interface the address of the management VLAN?
