Inter VLAN Routing - Internet Access
-
OK.. finally some progress. I connected to the transit network just to get my head around it and saw that I could connect to both 172.16.0.1 (switch) and .0.2 (pfsense) and the internet was working. But I of course couldn't ping 10.1.1.0/24 network on the switch. So I added a new gateway on pfSense for the LAN 172.16.0.1 and in static routing I pointed the network 10.1.1.0/24 to it. That got me reach to 10.1.1.0/24 netowork on the swtich. I then added a static route on pfSense for destination 10.1.1.0/24 use the gateway 172.16.0.1. That got my 10.1.1.0/24 network to start pinging the pfSense and the outside world.. 8.8.8.8
-
your outbound nat has to be adjusted to outbound nat your downstream networks.
I am on the default "Automatic outbound NAT rule generation." and my internal switch network is pointed to pfSense LAN (transit ip) 172.16.0.2 for DNS and its working. Am I doing this right? If not, then could you please guide me on what the setting need to be?
-
Dude post up your outbound nat.. How is psense going to know to nat these downstream networks when it doesn't have them directly connected..
You don't need to create multiple routes for all your /24's on pfsense - just use a summary route. They are all in the 10 space, so 1 route to 10/8 gets you to your switch. On your switch pfsense is internet, so that is the default route..
-
I didn't even touch the outbound nat. I think it took the static routes and updated the mappings. All I did is create static route for each subnet and pointed the transit ip as the gateway.
Here is my automatic outbound nat.
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 127.0.0.0/8 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 10.1.4.0/24 172.16.0.0/30 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 10.1.4.0/24 172.16.0.0/30 * * * WAN address * Auto created rule -
I then added a static route on pfSense for destination 10.1.1.0/24 use the gateway 172.16.0.1. That got my 10.1.1.0/24 network to start pinging the pfSense and the outside world.. 8.8.8.8
So what's still not working?
-
The comment by johnpoz "your outbound nat has to be adjusted to outbound nat your downstream networks." got me thinking if I may be missing something that needs to be in place not to break the routes and if its not working the way it should.
Hey as long as I don't have to manually change the settings I am a happy camper ;D
Now if there was a way just to get pfSense DHCP relayed to the downstream networks it would had been icing on cake. I think I will move pfSense back to vmware and install a dhcp vm on the same hardware. With all my vlan traffic now handled by the switch I barely see any CPU usage on pfSense.
-
You could also probably just DHCP in your switch.
-
You could also probably just DHCP in your switch.
Yup that's what I am using currently but its not full fledged as I need it. Have squid proxy dhcp options plus a ton of dhcp static ip assignments which are a pain to manage or configure on the switch.
I may need to start a new thread (or just use this one) as I have to do the same inter vlan routing for ipv6 to the outside world which is tunneling through HE. At the moment its completely broken in the new network. Was working fine when pfSense handled this.
-
You don't need to create multiple routes for all your /24's on pfsense - just use a summary route. They are all in the 10 space, so 1 route to 10/8 gets you to your switch. On your switch pfsense is internet, so that is the default route..
Thanks I will remove the routes and use the summary route. Makes managing the routes a bit simpler :)
-
You could also probably just DHCP in your switch.
Yup that's what I am using currently but its not full fledged as I need it. Have squid proxy dhcp options plus a ton of dhcp static ip assignments which are a pain to manage or configure on the switch.
I may need to start a new thread (or just use this one) as I have to do the same inter vlan routing for ipv6 to the outside world which is tunneling through HE. At the moment its completely broken in the new network. Was working fine when pfSense handled this.
Dual-stack the transit interface using a /64 out of the /48 (you might be able to get more clever here, but I wouldn't for now.)
Probably just route a /56 out of the /48 to the switch and assign interfaces out of it there. You will have 256 /64s to play with.
Default IPv6 route back to pfSense transit.
Then just pass source traffic from that /56 on the pfsense transit interface.
-
Yeah if you want ipv6, you just need to do the same thing via ipv6 transit which could just be link-local. Doesn't have to be one of your /48 from HE.. But with a /48 you have plenty of /64s to play with so yeah you could use one as your transit network. This would make for fully functional traceroutes, etc.
https://tools.ietf.org/html/rfc7404
Using Only Link-Local Addressing inside an IPv6 NetworkAs to your dhcp relay problem - its been brought up quite a bit leveraging pfsense dhcp for pools that pfsense does not have an interface in that network.. I am not sure if that is going to be a future feature or not. But it has come up quite a bit for long time.
Personally I could care less.. If you have come to the point where you network is larger and more complex (ie using downstream routers) you prob should have a dedicated dhcp system with failover, centralized,etc etc. While I agree with you the dhcp server feature list on switches prob going to be limited and interface and or config prob clunky compared to simple gui pfsense has put in place.
If you have vm infrastructure already in place just fire up VM for your dedicated dhcp, etc. Prob want to match that up with your local dns so you can resolve your dhcp clients or reservations, etc.
-
Yup, doing that exactly on VM. Just that I have a dependency on a vm for DNS/DHCP which is not what I am a fan of. Anyways I installed a 2.4 snapshot last night on VM and got the network back up. Now getting the DNS/DHCP in place.
I will resurrect this thread in a day or two as I would need some hand holding on the IPv6 part as I am not comfortable with IPv6 yet as much I am with IPv4 which I did on a regular basis back in 1998. (Windows NT… good old days)
-
If your using a /48 tunnel from HE, then you can use any of those /64 behind pfsense - since that whole /48 is routed down your tunnel.
So just use say the first 1 or the last one of the /64 as your transit.. then put your other /64 on your other segments on your downstream router. Just create your routes for your /64 or summarize them with a /cidr that includes all the /64 your using but does not include your transit network.. Say a /56 on the other end of what your not using as your transit and there you go ;)
-
I bet I was not doing it correctly before… so would need you to point me where to put which IP. ;D
Ok. So I have the below info from HE.
Routed /64:2001:470:xxxx:1010::/64
Routed /48:2001:470:yyyy::/48Before going the L3 switch internal lan route I was using the /48 to /64 in this manner
LAN: 2001:470:yyyy:1::1 (DHCP assigning lan clients 2001:470:yyyy:1::11 through 2001:470:yyyy:1::99)
VoIP: 2001:470:yyyy:2::1 (DHCP assigning voip clients 2001:470:yyyy:2::11 through 2001:470:yyyy:2::99)
Video: 2001:470:yyyy:3::1 (DHCP assigning video clients 2001:470:yyyy:3::11 through 2001:470:yyyy:3::99)Always wondered what happens to the 2001:470:xxxx:1010::/64 allocated by HE.
So when you say I have 64 of these (2001:470:yyyy:: ) how would I write the 64 subnets.. if you can please provide an example of first 2 subnets and the last 2 subnets it would be really helpful.
Here is my network.. I have also added a Microsfot DNS & DHCP on the internal vlan that is serving the clients on the L3 switch. The switch has DHCP relay which is helping relay IPs to all 4 intra lan subnets.
pfSense
WAN: some WAN IP
Transit: 172.16.0.1 (what IPv6 goes here.. the xxx or the yyy one?) should it be like 2001:470:xxxx:1010::1 OR 2001:470:yyyy:172::1Switch
DNS/DHCP: 10.1.1.2 (what IPv6 goes here?) (DHCP has IPv4 and IPv6 scope options)
Transit: 172.16.0.2 (does this need an IPv6? If so how can I configure one as this virtual IP)
LAN: 10.1.1.1 (same here, since this is virtual as well)
VoIP: 10.1.2.1 (same for all below)
Video: 10.1.3.1
Home: 10.1.4.1 -
One example:
Route this to the L3 switch:
2001:470:yyyy:ff00:/56
You can then use 2001:470:yyyy:ff00:/64 through 2001:470:yyyy:ffff:/64 on interfaces there. 256 total.
-
yeah that works.. your network expanded is this
2001:0470:yyyy:0000:0000:0000:0000:0000/48
So your first yeah the /64 subnets would be
2001:0470:yyyy:subnet:0000:0000:0000:0000
-
Route this to the L3 switch:
2001:470:yyyy:ff00:/56
How do I route it to the L3 switch? That was one of my question earlier. I can add an IPv6 address to the transit interface on pfSense but where do I assign it on the switch? Should I just add a static IPv6 on the DNS/DHCP server and then add the /64 scopes for each subnet in the DHCP scopes section?
What about the virtual routed vlan ips 10.1.1.1, 10.1.2.1.. etc
-
you route it to your switch same way you route your 10 networks to your swtich.. over your transit ipv6 network which could be link-local or a /64 global address.
Your pfsense and switch would have to have your global ipv6 transit IP on them..
-
Your pfsense and switch would have to have your global ipv6 transit IP on them..
Now what's a global ipv6? Is it one of the diffent 64 subnets that I can use? I understand on the pfsense it can be easily done by adding an IPv6 interface but how do I assign the same on the switch? especially when the transit ip on the switch itself is virtual.
EDIT: Looks like I don't have Routing IPv6 configuration option in the switch. Just on the management port. Checked online docs and it shows higher end managed switches have the IPv6 routing tab under routing vlans. >:(
-
how do I assign the same on the switch?
Probably need a different forum for that.
Checked online docs and it shows higher end managed switches have the IPv6 routing tab under routing vlans. >:(
Yeah you'll need a real IPv6-ready Layer 3 (or maybe Layer 2+) switch to make that work.
