Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing with L3 switch

    Routing and Multi WAN
    4
    11
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • awebsterA
      awebster
      last edited by

      Yes, it is most likely a routing issue.

      Make sure you add your L3 switch (192.168.2.10) as a gateway on the LAN interface
      Next add a static routes to 192.168.100.0/24 and select the LAN gateway you just added from the drop-down list.
      You might also want to repeat that for 192.168.101.0/24 so that both VLAN 100 and 101 are reachable.
      Lastly, make sure you have firewall rules to allow these subnets out.

      –A.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I don't see a router-interface on the transit network to pfSense. Pretty sure you need that. What you have looks like it's for management only.

        vlan X
        untagged eth 1/1/1
        router-interface ve1 ip address 192.168.2.10/24

        1/1/1 connected to pfSense . Note that I would tag this on principle and assign transit to vlan X on pfSense. That way you can tag other VLANs to your switch if necessary without mixing tagged and untagged traffic (see brocade dual-mode ports for that).

        I would not put the Layer 3 switch on LAN with a bunch of hosts. There should be two things on 192.168.2.0/24 - pfSense and the Switch. No other hosts or you will have asymmetric routing issues which are unnecessary and bad.

        pfSense-Layer-3-Switch.png
        pfSense-Layer-3-Switch.png_thumb

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          Derelict,
          Nice diagram, very clear!

          –A.

          1 Reply Last reply Reply Quote 0
          • C
            coxhaus
            last edited by

            There are only 4 important things which you need to get right using a layer 3 switch. 
            1. Make sure the layer 3 switch uses the LAN interface on pfsense for it's default gateway.
            2.  With static routes pfsense needs routing statements for all networks on the layer 3 switch pointing to the gateway IP address on the layer 3 switch
            3.  You need firewall statements on pfsense to allow all the networks on the layer 3 switch out through the firewall on pfsense
            4. The PCs on the layer 3 switch need to have the layer 3 switch's network as their default gateway

            I think these are the important steps which make a layer 3 switch work with pfsense or any router.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              5. Don't put any other hosts on LAN with the switch or you will have asymmetric routing issues.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                coxhaus
                last edited by

                @Derelict:

                5. Don't put any other hosts on LAN with the switch or you will have asymmetric routing issues.

                I have heard that before but it works if you let the layer 3 switch handle the local routing.  And if you don't believe me try it.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  It is still asymmetric and it is still bad design. Even if it works for you now it will likely bite you in the ass later.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    coxhaus
                    last edited by

                    It may be bad design but it happens even in production environments.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Bad design is bad design, regardless of scale.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • C
                        coxhaus
                        last edited by

                        I think both agree on bad design.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.