VLAN internet access plus routing issue - Cisco SG300 & ESX 6.5

johnpoz

"Just wonder if you can give me a hand on how to configure SG300 here to make it works?"

Draw up what you did and be happy to..

But lets be clear - downstream router via a transit would not be my suggestion.. As to how you would set it up on a sg300.. It would be just like any other layer 2 vlan. Its just a connection from pfsense to whatever your downstream router is.. If this is the sg300. Then its just a simple access port in whatever vlan you want to setup on on the sg300. Connected to pfsense via native - non vlan interface. Pfsense would not have any clue to what vlan IDs are connected downstream.

It would just need to know what networks are downstream and route to them.. And its firewall rules and outbound nat would have to account for them.

SubX

Johnpoz,

Thanks. Attached please find the diagram as well as the VLAN layout below.
VLAN 1 - 172.16.0.x (172.16.0.6 is router ip / gateway)
VLAN 8 - 172.16.8.x (172.16.8.6 is router ip / gateway)
VLAN 18 - 172.16.18.x (172.16.18.6 is router ip / gateway)
VLAN 88 - 172.16.88.x (172.16.88.6 is router ip / gateway)
VLAN 99 - 192.168.99.x /29 (192.168.99.1 on SG300, 192.168.99.2 on pfSense) - this is transit network

I add static route to allow VLAN 1 and VLAN 8 to route to VLAN 99 next hop = 192.168.99.2 (screenshoot)

Now from 172.16.0.10 can ping VLAN 1, 8, 18, 88 OK. Ping 192.168.99.1 OK.
Ping 192.168.99.2 failed.
From within SG300, I can ping internet host such as google.com, cnn.com etc..

Is it beacuse of VLAN 1 & VLAN 8 route to 192.168.99.2 is inactive? How to activate those two routes?

Thanks,

pfSense_L3R.png_thumb

SG300-inactive-static-route.JPG_thumb

SG300-TransitNetwork-cant-Ping-pfSense.JPG_thumb

SubX

jahonix,

Thanks for the note regarding J9100 limitation.

johnpoz

"VLAN 99 - 192.168.99.x /29 (192.168.99.1 on SG300, 192.168.99.2 on pfSense) - this is transit network"

How is this setup on pfsense? On what interface is this sitting? Your physical lan interface as a vlan or just native network?

What is the sg300 config on this port? It would just be an access port in vlan 99 on the switch.. Pfsense would not have any need to understand this vlan ID. Or any of the other vlan IDs.

What are you routes on pfsense? What does your outbound nat look like… What does the firewall rules look like on the 192.168.99 network?

If your trying to ping pfsense IP on the transit network.. Pfsense has to know how to get back to that downstream network.

SubX

Thanks!!!

pfSense setup only WANpppoe (connect through pppoe directly to internel, gateway becomes dynamic gateway) and LAN (no VLANs) just native.

Port 28 on SG300 as Access, untagged VLAn 99. pfSense doesn't know about any VLAN ID.

Under pfSense routing, there is a WANpppoe gateway (default), follow other post, there is no LAN gateway. Nothing under static route, should I add something here?

Outbound NAT by default, screenshot attached. Firewall rules - WANpppoe allow any to any, LAN allow source 192.168.99.1 > desti 192.168.99.2 , also any to any.

How to config to allow pfSens know how to get back to the downstream network. I setup static route rules in SG300 (screenshot see previous reply), it seems that those two routes are inactive. Or should I set it up in pfSense instead, please show me how to.

Thanks,

PPPoE-n_LAN.JPG_thumb

WANpppoe.JPG_thumb

LAN1.JPG_thumb

LAN2.JPG_thumb

TransitNetwork-SG300-port-AccessPort.JPG_thumb

Routing-GW-WANpppoe1.JPG_thumb

Routing-GW-WANpppoe2.JPG_thumb

Routing-StaticRoute-nothing.JPG_thumb

FireWall-NAT-Auto.JPG_thumb

FireWall-Rules-WANpppoe-default.JPG_thumb

FireWall-Rules-LAN.JPG_thumb

johnpoz

"Nothing under static route, should I add something here?"

How is pfsense suppose to know to get to your networks downstream of your sg300 if you do not have routes?

Once you have created the gateway, not on the interface but in the routing section and create the routes to your downstream network using that gateway it should auto update your outbound nat to include your downstream networks that it can nat outbound.

SubX

Can you be more specific,
Is it like below?
Destination - 172.16.0.0 Gateway - WANpppoe Gateway (or should I create a LAN Gateway 192.168.99.2 ?)
Destination - 172.16.8.0 Gateway - WANpppoe Gateway

Thanks,

johnpoz

Yes you need to create a gateway under gateways. Then create routes under static routes to use that gateway to get to your downstream networks.

SubX

just created LAN gateway and two route one for VLAN 1 and one for VLAN 8.

Now, device from both VLAN 1 and 8 can log in to pfSense (192.168.99.2) , how ever CAN'T ping 192.168.99.2. Check firewall rules, rules allow any port.

What should I check next?

Thanks,

Routing-GW-LAN.JPG_thumb

Routing-StaticRoute-VLAN1&8.JPG

Login-But-Cannt-Ping-from-172.16.8.x-device.JPG

SubX

Add two more firewall rules in LAN - one to allow VLAN 1 to access LAN, one to allow VLAN 8.

Now VLAN 1 & 8 CAN access internet.

So far, everything is fine now. Just wait to see if Bell Hub 3000 will reboot frequently or not. Keep finger cross.

Thanks Johnpoz for all the help !!!! A Big Thank You to you and others who give me a hand !!!

SubX

Bad news, this setup works for around 1 hour before Bell Hub 3000 start to reboot. The same symptom returned when I switched to Bell FTTH service. Before the old DSL modem works without any problem.

Any suggestion here, I will go with pfSense + L2 Switch option where pfSense acts as router to see if the same issue will emerge.

For the pfSense + L2 Switch setup, I will start another post to seek help.