Is it possible to replace a pfsense in your router task, by a layer 3 switch?

DiegoCa

Dear, good afternoon! A networking consultation ...

I have a pfsense, which started as a router & firewall, but currently I have it working only as a router to connect 2 subnets.

Nowadays i have to buy a switch, and I was wondering if buying a layer 3 switch, I could use it to connect my 2 subnetworks and thus cancel the pfsene ...

JKnott

@DiegoCa

Well, since routers and layer 3 switches have the same function, yes. The main difference is that switches do routing in hardware, but routers do it in software.

johnpoz

While yes a L3 switch can normally act as a router.. Firewalling or restricting access is going to be far more complicated than how you can do it with pfsense.

Some more info on what makes up your network... So these 2 networks you have that talk to each other... Why can they not just be on the same network? You have isolated them for what reason exactly?

How do these 2 networks, get to other networks - ie the internet?

How many devices do you have on these 2 networks? Is there some specific make and model of L3 switch you have been looking at?

DiegoCa

Hi johnpoz,

I answer you below your comments ...

While yes a L3 switch can normally act as a router.. Firewalling or restricting access is going to be far more complicated than how you can do it with pfsense.

Yeah that's right...

Some more info on what makes up your network... So these 2 networks you have that talk to each other... Why can they not just be on the same network? You have isolated them for what reason exactly?

I currently have a subnet 10.10.0.X / 24 and another subnet 10.10.10.X / 24.

In the first, there are administrative PCs and in the second there are industrial equipment (PCs, PLCs, etc.).
The equipment of the industrial network must access the administrative network in order to register various events in a database. And from the administrative network must access the industrial network to handle the equipment.

How do these 2 networks, get to other networks - ie the internet?

We have a primary pfsense, which has a static route from the network 10.10.0.X to the network 10.10.10.X.
On the other hand, there are rules that do not allow equipment from the industrial network to go to the internet.

How many devices do you have on these 2 networks? Is there some specific make and model of L3 switch you have been looking at?

In the administrative network there are around 100 hosts and in the industrial network around 25 hosts (pc, plc, etc.)
I was watching the HP 1920S Switch - JL381A

johnpoz

Not seeing why you think it makes sense to do routing at your L3 switch then? How you going to get rid of this pfsense if its your connectivity to the internet..

You mean you have 2 pfsense currently and one your just using as downstream router?

internet -- pfs1 --- transit network --- pfs2 -- 10.10.0/24 and 10.10.10/24

What is the network that connects pfs1 to pfs2?

Why do you not just connect both of these networks to your primary pfs?

What switch(es) are you using now? You have described nothing that could not be done with 1 pfs box and either dumb switches or vlan switches.

DiegoCa

Not seeing why you think it makes sense to do routing at your L3 switch then? How you going to get rid of this pfsense if its your connectivity to the internet..

Actually, I have 2 pfsense. One primary (pfs1) that is my Internet outlet and another secondary (pfs2), which today only acts as a router.

You mean you have 2 pfsense currently and one your just using as downstream router?

internet -- pfs1 --- transit network --- pfs2 -- 10.10.0/24 and 10.10.10/24

Yes, exactly.

What is the network that connects pfs1 to pfs2?

I show a simplified graph of my network.

Why do you not just connect both of these networks to your primary pfs?

*It's a posibility. It is currently part of the infrastructure that I have to manage. *

What switch(es) are you using now? You have described nothing that could not be done with 1 pfs box and either dumb switches or vlan switches.

I use a 3com layer 2 administrable switch and in the industrial area an industrial switch.

Your suggestion would be to ignore the 2nd pfsense and connect the 2 networks to the main pfsense?

Regards & Thank you for your answers.

johnpoz

Yeah that setup is asymmetrical... So your host routing on those admin devices on how to get to the 10.10.10 network?

All you need is.

If your going to use a downstream router, then you need to fix the asymmetrical setup you have.. But there really is no point.. just use 1 pfsense box, to handle routing and firewall between your local segments and the internet.

DiegoCa

Hi johnpoz,

I will verify my connection and try to connect my two subnets to my primary pfsense.

Thank you and regards for your answers.