Inter VLAN Routing - Internet Access

johnpoz

If your using a /48 tunnel from HE, then you can use any of those /64 behind pfsense - since that whole /48 is routed down your tunnel.

So just use say the first 1 or the last one of the /64 as your transit.. then put your other /64 on your other segments on your downstream router.  Just create your routes for your /64 or summarize them with a /cidr that includes all the /64 your using but does not include your transit network.. Say a /56 on the other end of what your not using as your transit and there you go ;)

asterix

I bet I was not doing it correctly before… so would need you to point me where to put which IP.  ;D

Ok. So I have the below info from HE.

Routed /64:2001:470:xxxx:1010::/64
Routed /48:2001:470:yyyy::/48

Before going the L3 switch internal lan route I was using the /48 to /64 in this manner

LAN: 2001:470:yyyy:1::1  (DHCP assigning lan clients 2001:470:yyyy:1::11 through 2001:470:yyyy:1::99)
VoIP: 2001:470:yyyy:2::1 (DHCP assigning voip clients 2001:470:yyyy:2::11 through 2001:470:yyyy:2::99)
Video: 2001:470:yyyy:3::1 (DHCP assigning video clients 2001:470:yyyy:3::11 through 2001:470:yyyy:3::99)

Always wondered what happens to the 2001:470:xxxx:1010::/64 allocated by HE.

So when you say I have 64 of these (2001:470:yyyy:: ) how would I write the 64 subnets.. if you can please provide an example of first 2 subnets and the last 2 subnets it would be really helpful.

Here is my network.. I have also added a Microsfot DNS & DHCP on the internal vlan that is serving the clients on the L3 switch. The switch has DHCP relay which is helping relay IPs to all 4 intra lan subnets.

pfSense
WAN: some WAN IP
Transit: 172.16.0.1  (what IPv6 goes here..  the xxx or the yyy one?) should it be like 2001:470:xxxx:1010::1 OR 2001:470:yyyy:172::1

Switch
DNS/DHCP: 10.1.1.2 (what IPv6 goes here?) (DHCP has IPv4 and IPv6 scope options)
Transit: 172.16.0.2 (does this need an IPv6? If so how can I configure one as this virtual IP)
LAN: 10.1.1.1 (same here, since this is virtual as well)
VoIP: 10.1.2.1 (same for all below)
Video: 10.1.3.1
Home: 10.1.4.1

Derelict

One example:

Route this to the L3 switch:

2001:470:yyyy:ff00:/56

You can then use 2001:470:yyyy:ff00:/64 through 2001:470:yyyy:ffff:/64 on interfaces there. 256 total.

johnpoz

yeah that works.. your network expanded is this

2001:0470:yyyy:0000:0000:0000:0000:0000/48

So your first yeah the /64 subnets would be

2001:0470:yyyy:subnet:0000:0000:0000:0000

asterix

@Derelict:

Route this to the L3 switch:

2001:470:yyyy:ff00:/56

How do I route it to the L3 switch? That was one of my question earlier. I can add an IPv6 address to the transit interface on pfSense but where do I assign it on the switch? Should I just add a static IPv6 on the DNS/DHCP server and then add the /64 scopes for each subnet in the DHCP scopes section?

What about the virtual routed vlan ips 10.1.1.1, 10.1.2.1.. etc

johnpoz

you route it to your switch same way you route your 10 networks to your swtich.. over your transit ipv6 network which could be link-local or a /64 global address.

Your pfsense and switch would have to have your global ipv6 transit IP on them..

asterix

@johnpoz:

Your pfsense and switch would have to have your global ipv6 transit IP on them..

Now what's a global ipv6? Is it one of the diffent 64 subnets that I can use? I understand on the pfsense it can be easily done by adding an IPv6 interface but how do I assign the same on the switch? especially when the transit ip on the switch itself is virtual.

EDIT: Looks like I don't have Routing IPv6 configuration option in the switch. Just on the management port. Checked online docs and it shows higher end managed switches have the IPv6 routing tab under routing vlans.  >:(

Derelict

how do I assign the same on the switch?

Probably need a different forum for that.

Checked online docs and it shows higher end managed switches have the IPv6 routing tab under routing vlans.  >:(

Yeah you'll need a real IPv6-ready Layer 3 (or maybe Layer 2+) switch to make that work.

asterix

Yup. My switch needs an IPv6 license to unlock the functionality. Darn netgear.

johnpoz

Does your switch not allow for a management ipv6 address?

Yes your global IPv6 address is one that falls in 2000::/3, this is the current global unicast IPv6 space.. There is PLENTY more that can be assigned.. but that is what is current..

CC

So if I am reading that correctly, they are using a Layer 2 switch as a Layer 3 NAT router to bridge additional vlans into a single VLAN??

johnpoz

If you have grown to the point that you need to do downstream routing, then its time to move to full time router or switch that actually supports full L3 to be honest..

Its a common problem to be honest.. There is really no way to use your firewall as your router and not have a hit to the speed at which packets can move.. When network is small, or you do not do a lot of intervlan traffic that needs full wire speed it very convenient to just use the one device to handle the routing between your segments and the firewalling, etc.

You need to make a decision.. If you need full wire speed between devices and can not put them on the same network then you can up your hardware to allow for the speed you want running through pfsense.  You can move the routing decision downstream which normally comes at a loss of firewall control between segments.  Depending the router/l3 switch you use may still have some ability to ACL but prob not going to be as easy as with the pfsense gui ;)

Seems your wanting to do more than your current switch can provide - time to update to something better.  Port density with full L3 support comes at cost..  Depending on the number of devices and number of networks and room you have for hardware, etc.  You could get a smaller density L3 switch or true full blow router and use access switches for the port density you need.

This really just comes down to a typical 3 layer model of access, distribution layer and core..

How many devices total do you have, how many devices in each segment - which segments need the fastest intervlan?  You can not collapse the segments that really need to talk to each other at switching speed to the same layer 2?

asterix

I guess you are right, I may have to move to a managed L3 switch. Could you recommend a good solid L3 switch or a router?

I have well over 70+ devices on my network. SmartTVs, mediaplayers, PS4s, Xboxs, iPads, Tabs, laptops, gaming desktops, home automation devices all pretty much running at the same time. Hard wired all devices that support it with CAT6 cables. With 11 kids (8 of my brother..  ;D) in the house especially on weekends, my initial network in fact ran like a 10Mbps hub (remember those things back in the 90's). Plus there is a ton of data that needs to flow for nightly backups. Kids have way too much digital stuff they just can't let go. I have my own test network consisting of servers and workstations, which I didn't mention in my previous posts.

pfSense had become my central management for my entire network and it was becoming the bottleneck. Moving to inter vlan routing has provided significant improvement to my entire network as all pfSense does is provide access to WAN with some security (Snort, pfBlocker, SquidGuard).

johnpoz

so how many of these 70+ devices are wired?  How are they distributed.. All comes down to budget if you ask me..  I have a cisco sg300 that I like.. cost me like $180 couple years back.  Current model would be sg350, it does true L3 and is very feature rich.

There are the unfi switches, that have come long ways and are feature rich and can be managed from their controller software, etc.

Like I said before.. depending how you lay out the access layer and the distribution layer will determine if you need a LOT of ports at your core or distribution layer or only need all the ports at the access layer, etc.  So something like a 10 ports L3 might be fine for your core or distribution..  So do you have everything wired to your current netgear or do you have some downstream switches to that.. We could prob still leverage it as access but put a L3 between it and your pfsense sense, etc.

I see a sg350-10 at $197 on amazon currently
https://www.amazon.com/SYSTEMS-10-Port-Gigabit-Managed-SG35010K9NA/dp/B01HYA36SG

there is 28 for $395
https://www.amazon.com/SYSTEMS-Sg350-28-28-Port-Gigabit-SG35028K9NA/dp/B01HYA38CA

Here is a 8 port edgerouter for under $300
https://www.amazon.com/Ubiquiti-Networks-ER-8-Edgerouter-Router/dp/B00IA5M2AS

You might even take pfsense out of the equation with something like that, or you could still leverage pfsense as your edge firewall and use that as an internal router.. The Ubiquiti edgeswitch line does do layer 3, and their 24 porter starts at 215..
https://www.ubnt.com/edgemax/edgeswitch-lite/

You have to be careful - their unifi switches only do Layer 2, etc..

So if you could give some more details of how all these devices are current connected and distributed throughout your house - where do you need port density?  Downstream switches? etc..  And what sort of budget you have in mind then we could work what hardware and configuration might give you the best bang for your buck!!

asterix

All rooms have at least 3 cat6 cables going all the way to the basement 42U rack. Family room, office and media center room has 6 ports each. Plus there is a server rack which has 12 ports for my work. All cables terminate to a cat6a 10G patch panel on top of the 42U rack. Those cables are then patch corded to the 48 port switch below it. Cable modem also terminates in the patch panel and then routes to the switch. So I need to ensure I have a good quality and responsive 48 port switch since my current switch has barely any vacant ports.

The ubiquiti switches are good but looking at ubnt forums it seems the latest 48 port switch does not yet have the L3 functionality. They advertised it but never added the feature. Expected sometime after sept 2017.

jahonix

I second John's favour for Cisco SG300/350 switches and have installed quite some already. Not a single failure. (will install another 12 next week in university lecture rooms: unpack, flash, use. Done.)
However, I hear good things about D-Link DGS-1510 series (smart) switches.
Stackable with SFP+ ports for quite reasonable prices. But I have no personal experiences with those devices.

asterix

The Cisco 48 port switches are way overpriced and out of my budget. I will keep an eye on eBay for the dlink and netgear l3 switches.

Derelict

Do yourself a favor and watch for Brocade ICX-6450s too. Cisco 3750s can be had as well, though they will likely only be 100M with gig uplinks.

You want an IPv6 L3 switch and don't want to spend any money? Really?

asterix

@Derelict:

Do yourself a favor and watch for Brocade ICX-6450s too. Cisco 3750s can be had as well, though they will likely only be 100M with gig uplinks.

You want an IPv6 L3 switch and don't want to spend any money? Really?

I am not looking to buy overpriced switches. My current switch does have IPv6 L3 functionality but it's hidden and can only be enabled with an IPv6 license which will cost somewhere over the $450 price range. Hence I am looking for better options as I am not willing to pay that exorbitant price for un-hiding something already there.

Derelict

You can easily get a new L3 switch for under $450. A brand new SG300-52 costs about that.

If you need the functionality they offer they are not overpriced.