Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    L3 switch + pfsense, can't get to the internet?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eroji
      last edited by

      I recently purchased an inexpensive L3 switch which I've managed to configure all the VLANs on the switch, and connected it to pfsense. The internal IP of pfsense is 10.0.100.1. I created a LAN gateway in pfsense of 10.0.100.2 and set a static route to route anything 10.0.20.0/24 (VLAN20 on the switch) to 10.0.100.2 (switch's IP). However, if I connect myself to VLAN20, I am unable to get to the internet.

      I am able to ping pfsense from within the VLAN, and pfsense is able to ping the switch IP, VLAN20's gateway 10.0.20.1, and even the PC connected to the VLAN 10.0.20.10.

      My guess is I did not configure something to route internet traffic from WAN back to the switch then to 10.0.20.10, but I thought that's what I configured the static route for? What exactly am I missing?

      Diagram: http://www.gliffy.com/go/publish/image/10061835/L.png

      pfsense Settings: http://imgur.com/a/vMAQY

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That gliffy seems to indicate the pfSense interface is 10.0.100.0/16. If that is the case it is wrong it should be /24.

        However, if I connect myself to VLAN20, I am unable to get to the internet.

        Probably need more information about what "unable get to the internet" means.  Could be DNS, NAT, Routes.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          /16 yeah that seems wrong..  Also when using downstream router(s) you really need to connect this to pfsense via a transit network… Not a network you will have devices on..  Or you going to run into asynchronous routing issues.

          See example attached.  But yes your firewall rules for that transit interface would have to all for your downstream networks.  Your outbound nat would have to account for them.  And you would have to create a route in pfsense to get to your downstream networks via the transit network IP of that router.

          Is there really no doc on this yet?  Seems to come up quite a bit..  Could prob throw something together..  Its such basic information, which is why it prob has not been documented - yet more and more this seems to come up..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            There are several things happening here:

            • Assuming you did not make a typo on the LAN subnet in your diagram, you will need to re-do your subnets slightly and make some changes:

              • Your transit network (listed as 10.0.100.0/16) is entirely too large.  Also, as currently configured, your transit network is actually 10.0.0.0/16 right now.  Narrow it down to at least a /24 (you can go as narrow as /30).

              • How dug in are you on VLAN100?  The path of least resistance with the least amount of changes would be simply changing the subnet of VLAN100.  Or you can keep VLAN100 and modify your transit network.  Another option if you want to keep your IP scheme consistent, is to remove VLAN100 and create a different VLAN (e.g. VLAN90 - 10.0.90.0/24)

            • Even though you stated that you created a LAN gateway of 10.0.100.2,  your screen shot shows that you actually created a LAN gateway of 10.0.100.1, which is incorrect, but moot anyway because it wasn't going to work regardless because of your transit network being too wide.  Your LAN gateway IP should be the routed port on your switch.

            • Once you have your subnets figured out, verify that there is a default route on your switch pointing back to PFsense

            • Finally, add static routes for the rest of your subnets

            At this point, assuming you have your DHCP server handing out the VLAN IP as the default gateway for each VLAN, all should be working.  This is exactly how I have my network configured.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.