Moving VLANs from pfSense to L3 Switch
-
Right now all my VLAN's are defined on pfSense and thus pfSense does all my inter-VLAN routing. However, now that I have a L3 switch (Dell X1052) I'd like to move the VLAN routing to that switch. This way all my VMware cluster traffic (vSAN, vMotion, VMs, etc.) does not even need to be defined on pfSense and will all be handled by the switch.
So to do this I'd like to setup a "transit" VLAN between pfSense an my switch (lets say VLAN 99). So on pfSense I'd set VLAN 99 as 10.0.99.1/30 and on the switch I'd set VLAN 99 to 10.0.99.2/30.
My question is how do I route the traffic between the two? I've setup a default route (0.0.0.0/0.0.0.0) with a next hop of 10.0.99.1 on my switch but I'm not sure how the switch port needs to be configured or if that route is correct. I've tried setting the switch port connected to the pfSense LAN port as a trunk, untagged in 99, or tagged in 99 but I can't seem to get communication between the two.
-
If i remember my VLAN understanding correct, and you've added a interface that is linked to the VLAN, then tagged is the proper way to set it. You shouldn't have to route from the switch to do that though.
The thing with VLAN is that you untag the ingress ports the traffic exits the virtual switched network. (to the endpoints that don't have to have a VLAN configuration to be able to work) and you tag all the ports that talks to the VLAN exclusively. On pfsense that also means creating a virtual interface where the VLAN traffic goes in its tagged state.Naturally you would also have to add firewall rules to that interface as to how you want pfsense to route the traffic.
-
does your new L3 switch do extended Access lists? Ie can you firewall between vlans, moving all your routing for lan to your switch will remove the ability to firewall between your segments like you have with pfsense.
In a nutshell since no vlan tags are going to hit pfsense, there is no vlan required on pfsense.. It it just your transit network.. Does not need to be a trunk port to be honest..
Sure your default route on your switch can point to pfsense IP in the transit network. But pfsense needs to have route(s) created for the networks that are on the other side of your L3 switch. Depending on the networks you have on the other side of your L3 switch (router) you could just use 1 route statement that includes all the network ranges behind your L3.
Your firewall rules on that transit network (interface connected to your switch) need to allow for those downstream networks range. And you will need to adjust your outbound nats to nat those networks as well.
-
You need to use access ports on both pfsense and the layer3 switch. Don't use trunk ports. This forces the layer3 switch to route. You need one port on the layer3 switch defined to the same network as pfsense on the LAN side. All traffic from the layer3 switch will be routed to pfsense so you need route statements on pfsense or a routing protocol.
-
I have a similar setup to what you're trying to accomplish. My L3 switch handles all the inter-vlan routing and my Juniper SRX firewalls (soon to be pfSense) are connected via access port.
To make my pfSense box route networks it doesn't know about, I created a new gateway on the same subnet that the pfsense's LAN interface. Then added routes for the additional subnets that points to my gateway (L3 switch).
-
Another easy way to do it is to use a dynamic routing protocol between your pfsense box and your l3 switch. RIP should do the trick just download routed package and advertise all routes you want discovered. You will have to look up instructions on your dell switch I'm not fimilar with it.