Installing pfSense with a layer 3 switch
-
em0 is my LAN side. Neither device has a problem with /30, regardless.
-
Sounds good. I don't know why they will not link up with /30 mask for me. It works with a /24 mask so there is not a rush.
-
You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.
The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..
-
You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.
The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
The question about the /30 mask can be answered by you since you have one of these SG300 switches. Just set it up. Please post the config on the SG300 and I will compare it to mine.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
-
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
That's what management VLANs are for.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
I think I have found at least one difference my switch port is defined as an access port. The idea was to keep all the routing on the L3 switch. The port adds the tags as data comes in and strips tags as data flows out.
-
If you're only doing one VLAN between pfSense and the switch an access port is fine but you can't define the VLANs on pfSense - it has to just be emX, not vlan X on emX.
When talking to a managed switch I always tag it even if it's only one so you can add a vlan without screwing up what's already working.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
I´ve followed this discussion with great interest since I have a similar SG300 layer 3 setup as Coxhaus and have just started to look into replacing my Linksys LRT224 router with a pfSense firewall.
When using a transit network for the routing between the switch and the firewall as in your nice example, I guess there must be a separate management interface/IP address used for logging into the pfSense Web GUI?
-
The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change. With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.
That's what management VLANs are for.
I´m totally new to pfSense and am collecting information on how to set it up and administer it. Is the default management VLAN in pfSense VLAN 1 and is the IP address configured for the LAN interface the address of the management VLAN?
-
All interfaces in pfSense are untagged by default, with WAN configured to obtain an address via DHCP and LAN as 192.168.1.1 with an active DHCP server starting at .100. You should really start another thread with a specific question. Doesn't sound like this has much to do with this one.
-
Pertinent parts.
vlan database
vlan 1000,2000ip dhcp server
ip dhcp pool network TEST_LAYER3
address low 172.28.1.65 high 172.28.1.254 255.255.255.0
default-router 172.28.1.1
dns-server 192.168.223.1
exitinterface vlan 1000
name TRANSIT
ip address 192.168.230.2 255.255.255.252
!interface vlan 2000
name TEST_LAYER3
ip address 172.28.1.1 255.255.255.0
!interface gigabitethernet46
description ROUTER_LAN
switchport mode general
switchport general allowed vlan add 1000 tagged
switchport general acceptable-frame-type tagged-only
!Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.
Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.
Did you define a default route on the L3 switch pointing to 192.168.230.1, or isn´t this necessary?
-
Yes if you want all traffic without a better route to go to 192.168.230.1.
-
All interfaces in pfSense are untagged by default, with WAN configured to obtain an address via DHCP and LAN as 192.168.1.1 with an active DHCP server starting at .100. You should really start another thread with a specific question. Doesn't sound like this has much to do with this one.
Well, Coxhaus asked the same question, how to access/manage the pfSense other than the console when setup with a /30 address and you said "That's what management VLANs are for.".
I take your point and will start a new thread with specific questions when I start setting up pfSense with my SG300 L3 switch.
-
Out-of-band management of your firewall gets tricky. Cisco ASAs have the same problem. It would be really nice to have an interface that, by default, wasn't in the firewall's main routing table and wasn't accessible via the other normal interfaces, yet listened on ssh and webgui.
I would settle for forcing management interfaces (ssh, webgui, snmp, etc) to only listen on a specific interface's IP address.
As it is you have to create a VLAN interface. It will also be listening on management services.
Block access to all management ports/addresses on unfriendly interfaces. -
What does the transit network size have to do with management??
You do understand you can get to the webgui or ssh on any IP in pfsense as long as your rules allow it. Even from the wan side if you allow it via rules.
-
What does the transit network size have to do with management??
Obviously nothing.
You do understand you can get to the webgui or ssh on any IP in pfsense as long as your rules allow it. Even from the wan side if you allow it via rules.
I did not know and that is why I asked. I understand now that you´ve explained it. I´m totally new to pfSense and have just started to read the documentation and information found on the forum.
I´m well aware that silly questions from n00bs like me might irritate expert users like yourself. You understand, we all have to start somewhere. ;)
-
Silly questions do not irritate me that is for sure, what can get frustrating is the same questions over and over and over and over again.. Without searching for the information yourself before asking ;)
But even whne the questions are "silly" I still answer them or point to where they are answered… So ask away your questions.. That is what we are here for.
-
People think this stuff is easy. And it is with a grasp of everything in the ISO model.
-
Silly questions do not irritate me that is for sure, what can get frustrating is the same questions over and over and over and over again.. Without searching for the information yourself before asking ;)
But even whne the questions are "silly" I still answer them or point to where they are answered… So ask away your questions.. That is what we are here for.
Thank you very much, sir. I really appreciate the great effort and help expert users like yourself and Derelict provide in the community forum.
Coxhaus and myself are both old farts. I´m 70 and retarded .. sorry retired ;D and unlike Coxhaus who I believe worked professionally with Cisco stuff in the old days, I just started with setting up a home network based on separate components (SG300-10, SG200-08, Cisco WAP371, Linksys LRT214) a few months ago. It´s the LRT214 I´m planning to replace with a pfSense firewall.
I´m moving in to a new 90 m2 apartment in a couple of months where I´ll put my home network in production. For sure I would do just fine with a small consumer router (Asus, Netgear etc.) or even the ISP provided one. I´m doing all this for fun, it´s an excellent pensionist exercise. :)
