4 Vlans - Use L3 Switch or PfSense?
-
That is an interesting point. While I do want to keep speeds high I, I have a need for atleast 1 of the Vlans to not have access to the rest of the network.
You do not have to do all one or the other. You can do both.
You can tag a transit network to the switch and route your "trusted" networks to it. You can also tag a layer 2, pfSense VLAN interface to the switch as well.
The switch can route among as many different VLANs as you want locally.
Just don't put a VIF/SVI on the untrusted, layer 2 VLAN and set pfSense as their default gateway there. All traffic from the untrusted to the trusted networks will then have to go through the firewall.
-
So I'm using a combination of everything you all said. This might sound pretty stupid but I just added more virtual NICS to my VMS and I'm going to put the ones that need to be on multiple Vlans on them.
-
That generally gets pretty ugly and you end up with asymmetric routing problems but go for it.
-
^ yeah with Derelict here that is a HORRIFIC work around and yeah if your not very very careful your going to for sure have asymmetrical routing problems.
"do is enable inter-vlan routing on the switch for some vlans and the ones that dont will have to go back to the router to get their instructions. "
Yes as Derelict already went over this can be done.. You route what you want at the switch and stuff you want to firewall you can send to pfsense.
But I am curious if you have devices that you just want to route at the switch, so you not doing any firewalling - why can they not just be on the same layer 2 network anyway?? Why do you want to route between them?? In a work setup the reason you do this would lack of IPs.. Too many devices… You sure do not want to put 2000 machines on the same broadcast domain. But you have 2000 some servers that need to talk to each other. So you put them either on 4 /24s or 2 /23's etc. and route between them at the switch. Since you don't really care to firewall between these devices.
Or maybe different physical location and its just easier to route vs extend the layer 2, etc.
But in a home setup I don't see the reason to complicate the setup, especially for someone that isn't fully up to speed of all the stuff involved in the complication. I am all for network segregation in the home.. I have multiple networks that are all firewalled from each other for security reasons. My guest wifi for example doesn't need access to any of my other networks. My iot devices are isolated, etc. So while my even my wifi is eap-tls to access. It still doesn't have full access into my normal wired network, etc.
Why can you not just put the stuff that you need HIGH speed full wirespeed between on the same layer 2? Multihoming it is going to end up being way way more complicated than it needs to be for no reason at all.
-
^ yeah with Derelict here that is a HORRIFIC work around and yeah if your not very very careful your going to for sure have asymmetrical routing problems.
"do is enable inter-vlan routing on the switch for some vlans and the ones that dont will have to go back to the router to get their instructions. "
Yes as Derelict already went over this can be done.. You route what you want at the switch and stuff you want to firewall you can send to pfsense.
But I am curious if you have devices that you just want to route at the switch, so you not doing any firewalling - why can they not just be on the same layer 2 network anyway?? Why do you want to route between them?? In a work setup the reason you do this would lack of IPs.. Too many devices… You sure do not want to put 2000 machines on the same broadcast domain. But you have 2000 some servers that need to talk to each other. So you put them either on 4 /24s or 2 /23's etc. and route between them at the switch. Since you don't really care to firewall between these devices.
Or maybe different physical location and its just easier to route vs extend the layer 2, etc.
But in a home setup I don't see the reason to complicate the setup, especially for someone that isn't fully up to speed of all the stuff involved in the complication. I am all for network segregation in the home.. I have multiple networks that are all firewalled from each other for security reasons. My guest wifi for example doesn't need access to any of my other networks. My iot devices are isolated, etc. So while my even my wifi is eap-tls to access. It still doesn't have full access into my normal wired network, etc.
Why can you not just put the stuff that you need HIGH speed full wirespeed between on the same layer 2? Multihoming it is going to end up being way way more complicated than it needs to be for no reason at all.
Great question. The original reason I wanted to separate my networks at the end of the day would be for security reasons.
I have 4 networks that I've been messing around with.
-
public
-
private
-
servers
-
vpn
I want public and private networks to be able to talk to the servers and I want public and private to be able to talk to each other when private initiates the conversation, which I believe I setup correctly on PFsenses firewall.
My issue with public and private being on the same network is I don't want someone in public to be able to sniff the traffic of private.
Obviously VPN I want to be on a separate network all together with and isolate all traffic from everyone else. I am doing this right now by adding a network adapter to my PFsense box and that is connected to a L2 switch with the devices I need on the VPN. The only gateway for the interface on PFSense is to the vpn with firewall rules blocking all other traffic. That seems to be working right now.
My issue I'm at right now is the following:
The way my setup is currently is:
|PFSENSE|
–---|----
|Trunk port (All Vlans)
||L3 capable Switch1| ---------- Access port (Vlan10)
|
|Trunk port (All Vlans)
||L2 Switch2|--------- Access port (Vlan 10)
/
/
/
/ Access Port (Vlan10)
/
Access port (Vlan 5)The devices all get their IP addresses via DHCP correctly from PFSense and can ping the default gateway correctly. They can also Ping each other if they are connected to the same layer 3 switch. BUT as soon as a client on switch 2 needs to ping someon on switch 1, it breaks. And Vice versa.
The first switch is a ubiquiti edgeswitch and the 2nd is a Vmware Vswitch.
Any ideas?
-
-
Your transit network should be ONLY for transit traffic. There should be no hosts on it. Make another VLAN for the transit traffic and put VLAN 10 on the Layer 3 switch and tag it across with the rest of them.
If you need to ports on switch 1 to be on VLAN 10, put it behind switch 2. Two routers is going to give you asymmetric routing problems unless they all know all the routes necessary all the time.
Or you have to hairpin the traffic at pfSense, which is ugly. It'd be a shame to see that implemented in all the layer 3 switch goodness due to poor design.
-
when you say transit network, what are you referencing? The connection from pfsense to Switch1?
Just to clarify switch2 is a vmware Vswitch hosted on a virtual machine. I have 5 virtual machines connected to a vswitch with one physical network interface that goes back to switch1. I cannot put other devices on that switch that are not a part of the vm host.
I only have 1 router right now and its the pfsense router. The wan port goes out to the internet and I have 1 lan interface that goes back to switch 1 and switch 1 is connected to switch 2. I have access/general ports on both switches that are used for end devices.
-
Then why are you calling them L3 switches?
Please diagram your network properly.
-
Then why are you calling them L3 switches?
Please diagram your network properly.
The first L3 switch is a layer 3 switch; https://www.ubnt.com/edgemax/edgeswitch/
The 2nd switch isnt a full l3 smart switch but it supports full 802.1Q Vlan tagging. The 2nd switch does not support inter-vlan routing but that is not required if all the clients are on the same L2 subnet/Vlan.
-
A layer 3-capable switch that is not routing should be called a switch, not a layer 3 switch.
To do otherwise just confuses the people who are trying to help you and wastes everyone's time.
-
A layer 3-capable switch that is not routing should be called a switch, not a layer 3 switch.
To do otherwise just confuses the people who are trying to help you and wastes everyone's time.
ohhhhhh. Ok that makes sense. The next question would be… Should I use them as layer 3 switches :) ??
-
vswitch in esxi can not be layer 3 switches.. They can not route. And no you shoudn't be using layer 3 switches (downstream routing) in your network unless you have specific need for routing at wirespeed vs control. And when you do this then you need to connect your downstream routers with a transit network or your going to run into asymmetrical routing issues.
