Inter-LAN traffic
-
Transferring data from a desktop in LAN to a NAS in Video network. Both LAN and Video are internal networks with 10.1.1.0/24 and 10.3.1.0/24 subnets. A Netgear managed switch takes care of different networks behind pfSense. All the networks have been configured as VLANs in the managed switch.
The pfSense traffic graph reflects the data being transmitted between the two networks. Shouldn't this be totally transparent to pfSense with no knowledge of what's happening behind the scenes? Am I supposed to see the data transfers between the two? If not, what am I missing in the rules that's forcing it to go through pfSense for routing data instead of the switch?
-
Does your Netgear Switch do Layer 3 routing between those nets or did you configure both nets on your pfSense? If your Switch takes care of routing, you should not see Lan to Lan traffic.
-
It's a NETGEAR ProSafe GSM7248v2. Looks to be Layer 2.
The switch has the VLANs for each net configured in pfSense. Should I be configuring a network in the managed switch? If so, I don't think there is an option for that. Just VLANs for the different physical ports to group together to tag/untag along with PVIDs
-
You have two separate networks, something has to route between them. Traffic can't go from one IP subnet to another without a router. Put them on the same IP subnet if you want it to be local.
-
It's a NETGEAR ProSafe GSM7248v2. Looks to be Layer 2
If the "smart switch" only does layer 2, then all it can do for VLANs is put groups of physical ports into separated VLANs and have trunk ports that VLAN tag packets and push them up to a VLAN-tag-aware device (e.g. pfSense). There is no ability to internally move (route = layer 3) packets between the VLANs.
-
So a layer 3 switch is the solution to this?
-
A layer 3 switch can route between the VLANs without making the firewall do so, yes. Then your gateway on all the VLANs will be a switch IP, and the switch's gateway will point up to an interconnect to the firewall's LAN.
-
If you want any restrictive filtering rules on the traffic between VLANs, then you need to keep putting the traffic through pfSense, or use a layer3 device that also allows filtering that you want to do (which really = pfSense ;) ).
If you just want all traffic to be passed between the VLANs, then a layer-3-capable "switch" is good.