Subnets Routing Behind Layer 3 switch

afrugone

Thanks for your comments.

I've just noticed a curious thing, the routing is working well to "outlook.office365.com", "www.cnn.com",  but not to "www.google.com", "www.ibm.com", I don't have any special rule for this. From Pfsense webconsole, al pings are 100% OK

ping outlook.office365.com

Haciendo ping a outlook.ms-acdc.office.com [40.102.35.114] con 32 bytes de datos:
Respuesta desde 40.102.35.114: bytes=32 tiempo=236ms TTL=236
Respuesta desde 40.102.35.114: bytes=32 tiempo=227ms TTL=236
Respuesta desde 40.102.35.114: bytes=32 tiempo=227ms TTL=236
Respuesta desde 40.102.35.114: bytes=32 tiempo=234ms TTL=236

ping www.google.com

Haciendo ping a www.google.com [172.217.28.228] con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 172.217.28.228:
    Paquetes: enviados = 4, recibidos = 0, perdidos = 4
    (100% perdidos),

afrugone

Hi,

Thanks for your help, finally I found the problem, it was a bad defined rule in the switch router, at least I´ve learned a lesson about routing in PFsense.

Thanks

johnpoz

You still have a asymmetrical issue if devices on your transit need to be accessed from the downstream network(s) or the stuff on the transit access them.

Simple to fix with just bringing up an actual transit between your L3 and pfsense vs using a host network as a transit network.

coxhaus

John they way I handled the asymmetrical issue is to let the layer 3 switch handle all the local routing.  In effect the layer 3 switch is the gateway for all local traffic and pfsense is the gateway for all internet traffic.  It worked fine this way.

I decided I wanted my router in a VLAN by it self so I did move to using a 30 mask for the router VLAN.  But the layer 3 switch is still the gateway for all local LAN traffic and pfsense is the gateway for all internet traffic.

johnpoz

"I decided I wanted my router in a VLAN by it self so I did move to using a 30 mask for the router VLAN"

So you created a transit ;) between the layer 3 and pfsense..

coxhaus

Yes I did move over to a /30 mask but not right away.  I ran a /24 mask for a couple of months with no problems.  The reason I moved to a /30 mask was to eliminate all the chattiness from the work stations slowing down the router to where all traffic going to the router VLAN is destined for the internet.  When workstations start talking to each other behind the scenes this causes the router to wait because it is on the same network.  By isolating the router and allowing the layer 3 switch to switch local traffic I have effectively removed all local bottle necks for the router.

johnpoz

"The reason I moved to a /30 mask was to eliminate all the chattiness from the work stations slowing down the router to where all traffic going to the router VLAN is destined for the internet."

Huh ???

At a complete loss to why would there be workstations on a transit?  And why would devices on a network talking to each other have anything to do with your router - are you using a HUB?

coxhaus

@johnpoz:

"The reason I moved to a /30 mask was to eliminate all the chattiness from the work stations slowing down the router to where all traffic going to the router VLAN is destined for the internet."

Huh ???

At a complete loss to why would there be workstations on a transit?  And why would devices on a network talking to each other have anything to do with your router - are you using a HUB?

What we are talking about John is all because you said asymmetrical routing does not work.  I said it does if you set it up right.  I used it for a while with workstations on the same network.  I later then changed for other reasons other then it did not work.

johnpoz

"asymmetrical routing does not work.  I said it does if you set it up right."

Yeah you can make it work with host routing, or source natting.  Or allowing your firewall out of state traffic.. etc. etc..

Does not matter if you "can make it work".. The point it is setting it up in the first place is just plain BORKED!!  If you condone or promote anyone running a asymmetrical network.. You for sure should not be in the networking biz that is for damn freaking sure!  Sorry that is not ment as personal attack in anyway.. Its just stating my honest to goodness opinion.

coxhaus

Maybe with pfsense it is hard but it is easy to setup using a layer 3 switch.  All you have to do is point the local traffic to the layer 3 switch.  It knows where everything is and will route or switch to the device.  Nothing hard.  It is a good way to bring a layer 3 switch into the fold without disrupting normal operations.