Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense plus L2 Cisco SG200 - VLAN routing on pfSense / Transit Network Help

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SubX
      last edited by

      Thanks for the support from pfSense guru from this forum, I managed to setup a pfSense and Layer 3 Cisco SG300-28 where the VLAN routing was done by SG300.

      Now I would like to test out pfSense with Layer 2 SG200 where VLANs routing will be set in pfSense. When design the layout, I have several questions regarding the VLAN and transit network.

      Background Info

      • ISP connection > Bell Fibre internet via PPPoE past-through (Bell is using VLAN 35 for its internet). Fiber GPON connect to TP-Link MC220L media converter
        -  Bell > MC220L > pfSense WAN  > pfSense LAN
        -  pfSense WAN > em0_VLAN35 (network type = pppoe)
        -  pfSense interfaces > several VLANs below
          * WANpppoe (em0_vlan35 with pppoe)
          * LAN_VLAN199 (/29 subnet, 192.168.99.2 on pfSense)
          * LAN (re0)
          * LAN_VLAN10 (ESX VM Mgmt Kernel)
          * LAN_VLAN20 (ESX VM Network)
          * LAN_VLAN30 (ESX vMotion)
          * LAN_VLAN60 (ESX iSCSI)
      • FW Rules
            * VLAN 10, 20, 30, 60 are allowed to communicate with each other
            * LAN has rule to allow source 192.168.99.1  to  desti 192.168.99.2
      • Cisco SG200 (8 port) setup
            * P1 - trunk 10,20,30,60,199 (tagged)  - connected to pfSense re0
            * P2 - trunk 10,20,30,199 (tagged)  - connected to ESX1 vnic 0 (mgmt, vm)
            * P3 - trunk 10,20,30,199 (tagged)  - connected to ESX2 vnic 0 (mgmt, vm)
            * p4 - access 60 (untagged) - connected to ESX1 vnic1 (iSCSI)
            * p5 -  access 60 (untagged) - connected to ESX2 vnic1 (iSCSI) 
            * p6 - access 60 (untagged) - connected to iSCSI box 1
            * p7 - access 60 (untagged) - connected to iSCSI box 2
            * p8 - trunk 10,20,30,60,199 (tagged)  - connected to testing laptop

      Questions

      • Transit Network (VLAN 199)
          * in previous L3 SG300, one end 192.168.99.2 is on pfSense, the other end 192.168.99.1 is the VLAN gateway resides in SG300.
          * since SG200 is not a L3 switch, when creating VLAN in SG200, I only need to provide VLAN number, no IP is assign to the VLAN. What should I do in this case?
            trunk 10,20,30,60,199 (tagged)
          * Does the transit network works with only one IP 192.168.199.2 assigned to LAN_VLAN199?

      • FW rules
          * is above good enough? Any other rules required?
          * Does each VLAN (10,20,30,60) need a rule to allow 192.168.99.1 to 99.2 (transit network)

      • SG200
          * any issues with this layout?

      Many Thanks,

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Thanks for the support from pfSense guru from this forum, I managed to setup a pfSense and Layer 3 Cisco SG300-28 where the VLAN routing was done by SG300.

        With a layer3 switch you will be using or needing a transfer net to get it working at best.

        Now I would like to test out pfSense with Layer 2 SG200 where VLANs routing will be set in pfSense. When design the layout, I have several questions regarding the VLAN and transit network.

        By using a Layer2 Switch you will be needing not a transfer net, you will be leading that VLANs tagged to the pfSense box
        and pfSense must then route between the VLANs it self.

        1 Reply Last reply Reply Quote 0
        • S
          SubX
          last edited by

          @BlueKobold:

          By using a Layer2 Switch you will be needing not a transfer net, you will be leading that VLANs tagged to the pfSense box
          and pfSense must then route between the VLANs it self.

          Last night using transit network (vlan 199), my device from vlan20 can access internet. Problem is that vlan20 can't reach to vlan 30 although in the firewall rules, all vlan has rules to allow * to * communication via all ports and protocols. Vlan 20 can reach vlan60.

          I will try to remove vlan 199 (transit network) since it is not required in Layer 2 scenario. Still need help on the VLAN routing. Is rules in firewall enough or I need to create gateway or static route under routing. Any previous posts which could help me out are also welcome.

          Thanks,

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "Is rules in firewall enough or I need to create gateway or static route under routing."

            If the networks are attached directly to pfsense then it already knows about the routing.. All have to do is allow the rules you want to allow for inter vlan traffic.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              SubX
              last edited by

              You guys rock! Big Thanks to you all!

              No transit network this time. No static route. Only Firewall rules.

              Currently vm mgmt, iSCSI works fine. Will try VM and vMotion later.

              Have a great Thanksgiving, pfSense guru!

              1 Reply Last reply Reply Quote 0
              • S
                SubX
                last edited by

                All VLANs are working fine as expected. It is all about the firewall rules setting.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.