Struggling to get netgate/pfsense working with cisco vrfs
-
Looking for any help or direction. I just moved and purchased a new switch (Nexus 3k) and new firewall (netgate xg-7100). I've wedged my old network above the two new devices so I can get it all working and still have internet in the house until I have it working.
I've attached a basic network diagram and the nexus config.
Basically I've got two vrfs on the 3k, servers on one and clients on the other. If I remove the next hop in the vrf definitions that points to the interfaces I defined on pfsense, eigrp does its thing and packets flow between the two vrfs. When I try and put the firewall in the middle I can get to local resources, but not between vrfs (or the internet). If I plug the test laptop into one of the standard LAN interfaces on the pfsense device I can get out to the net fine, but not to other resources on the vrfs.
I've tried setting the switch ports to be trunk ports but also have a native vlan.
On the netgate, under Switch, I created two VLANs, one for vlan 100 (servers) and one for vlan 200 (clients). Allowing ports 2, 4, 5, 6, 7, 8 to be tagged on either interface.
on the netgate under interfaces -> vlans, i create two, one for 100 using interface ix0 and the other for 200, using lagg0. With the assumption that I'll send client bound traffic through the gigE interfaces and server bound traffic through the 10gigE interface. I then went to interface assignments and created two interfaces, pfsense_server_fw (going through ix0 vlan 100) and pfsense_client_fw (going through lagg0 vlan 200).
I assigned a static IP to each of the two new interfaces.
I added an allow any/any from/to any/any rule to each of the new interfaces for testing purposes.
I also added a DHCP server to each interface.
From the test laptop or server I can ping default gateways, but I can't ping the FW interface I created on that network, and also can't reach cross vrf.
I'm sure I'm missing something basic. I will probably just wipe the config and try again from scratch, but I'm wondering if anyone sees something glaringly wrong with what I'm trying to do here?
[for home.txt](/public/imported_attachments/1/for home.txt) -
What is the point of running 2 vrfs? I do not understand the point? Other than over complicating it..
You would run vrfs to isolate customers where you have different routing tables and different networks on a shared hardware.. For the life of me why would anyone run multiple vrfs for their home setup?
What are you even running routing protocol for? Do you have network popping up that your not in control of so you need to dynamically route traffic somewhere? Again this over complication for what reason??
What are the firewall rules you created on your pfsense for your different vlans - if you want pfsense to allow traffic between your networks you will have to allow for it in the rules.
-
Why run enterprise switches at home? why have servers at home? why even use pfsense at home?
Because I feel like it. Just like you feel like spending 4/5ths of your post criticizing me for doing something, why do you do it? because you want to.
Under firewall / rules / lan, for each the default LAN, and the two interfaces i created, i added an allow any/any from any/any for testing.
-
You run pfsense at home because it makes it EASY… Your making it HARD for no reason.. Other than you want to make it as complex as possible?
Complexity only leads to problems.. KISS is your friend..
Do you have a need to run downstream router.. Then don't, if you don't have reason to run routing protocols.. Just handing back and forth all day long the same routes.. You don't!
Once you create a VRF you just created an isolated router.. How do you get from 1 router to another - via a transit network. Your drawing doesn't show any downstream routing.. What you show is 2 layer 2 networks your vlan 100 and 200..
Your drawing shows zero point for VRFs and even if you were going to set them up you have no downstream networks for them to route.. You have your 2 hosts (your test) boxes in the transit networks..
There is the since I can aspect sure - but clearly you can not ;) So why do it?
If you want to learn about this sort of enterprise level features - all for it.. But start basic and complex up... Also you mention HSRP... ok - where is your other device that makes up the pair for your hrsp? You don't do hsrp with 1 device.
If your pointing your client to your 3k IP for its gateway, you now have created asymmetrical routing problem. If you point the client to pfsense IP in that vlan - then there is zero point to the vrf.. If your wanting to play with this ok.. But get the basics understood first..
You specifically asked
"if anyone sees something glaringly wrong with what I'm trying to do here?"I was giving my comments to what is wrong.. What is wrong is you don't have a use case for such network.. You have created 2 downstream routers with your vrfs but no downstream networks? You don't understand why routing protocol doesn't work when you put a firewall between?
Let psfense route and firewall traffic between your network segments. Once you have that working if you want to create a downstream router on your 3k.. Sure.. If you want to play with routing protocols - run them between pfsense and your now downstream router on your 3k.
-
It's a while since I touched a Nexus switch with VRFs.
Shouldn't you have the following under the interfaces :-
ip vrf forwarding VRF_NAME
Also what's the HSRP and EIGRP commands doing there with a single switch, was there some config on the switch when you got it?
