Question about network topology/Trunk
-
Ok, so i'm struggling with this idea i have. Maybe i'm completely thinking about this in the wrong way, but thought i would reach out to hopefully get some clarity.
I have a home network, with an isolated lab setup behind it (simplefied network diagram attached)
Currently i don't have the pfsense box where it is in the diagram, but just the switch that is receiving the trunk from the L3 switch above.
As you can see from the diagram, the switch outputs 3 different vlans to my admin workstation where the lab is hosted.
Reason for me wanting to place a pfsense there is to ips/ids the traffic going in and out of the lab, and also my workstation while learning pfsense, without being part of or affecting my actual home lan in the tier above.My question is, is it even possible to pass on a trunk to the wan side of pfsense? The pfsense box to be, has only 2 network cards, in and out, so connecting each vlan to a socket is out of the question.
Or would an inline setup like this require me to configure pfsense as a "pass through switch" that ignores routing? Or would simply setting it up as a VM with virtual switches be the most viable option?Thank you for any thoughts, ideas or suggestions on how this could and should be setup according to best practice.
-
@Darkfall said in Question about network topology/Trunk:
My question is, is it even possible to pass on a trunk to the wan side of pfsense? The pfsense box to be, has only 2 network cards, in and out, so connecting each vlan to a socket is out of the question.
You should be able to create VLANs on the WAN port, but each one would have to be routed separately. It's the same logical situation as separate WAN interfaces.
-
Hmm ok. But if i create the vlans on the wan interface, how would i go about routing that downstream to the switch where the vlans are distributed? Not sure i follow the logic here. Would love some clarity in what you said as im new to pfsense way of doing things
Another solution i guess is just have the pfsense box handle everything downstream, and just forward the result to my edge-router but would be nice solving this the proper way.
-
@Darkfall said in Question about network topology/Trunk:
Hmm ok. But if i create the vlans on the wan interface, how would i go about routing that downstream to the switch where the vlans are distributed?
Think of the VLANs as separate physical interfaces. You'll have to configure the routing as appropriate to meet your needs. You would also have to create whatever rules you need. It's just as though you have multiple WAN interfaces. However, given the complexity of this, maybe you're going the wrong way. Instead, just route everything for what's behind pfSense over a single interface. So, you'd configure that edgerouter to pass all the traffic for networks behind pfSense to it. This is just normal routing. If you pick the network addresses properly, you can aggregate them and route a one larger network, instead of routing each network individually.
-
If I understand the last part correctly I would just need to connect the pfsense box to the L3 switch with an ip on the same subnet. Then in pfsense set up my vlans on its lan interface instead of on the edgerouter (as I do now). And then just put up static routes or ospf for routing between the two for internet access and dhcp leases from the edgerouter?
-
@Darkfall said in Question about network topology/Trunk:
My question is, is it even possible to pass on a trunk to the wan side of pfsense?
While its possible there is no reason to..
If you want to put pfsense downstream of router, you just connect pfsense wan via a transit network to your upstream.. Pfsene would be able to get to any upstream networks via this transit.
All upstream networks would be able to get to networks behind pfsense via the transit network.. There is no reason to connect pfsense to multiple networks in your scenario.
edit: also why do you have all your vlans on eth1.. What are you doing with the other interfaces you have on that 6p router? You understand that all intervlan traffic is now sharing the physical interface - so you hairpinning any intervlan traffic - which is fine if your not doing a lot of moving of data between them..
-
@johnpoz
Thx for your reply, going to try and set it up that way, and create the lab related vlans on pfsense.As for why all vlans are in eth1, good question and a long story. In the beginning it was just router on a stick, one port for each lan going into individual nic ports on the lab comp. Then i added the L3 switch to have that manage inter-vlan at wire speed and let the router just route, never gotten around to it yet.
At the moment, all past eth1 belongs to the lab. Other router ports are for now not used since my actual home-lan uses a regular consumer router upstream until I feel confident migrating it all. Also the reason for all on one port is that I only have one trunk cable on the wall going from the rack to the switch > computer. spreading them over more router-ports would require more cables right? Alternative is to create a software port bridge on the edgerouter and have them work in LAG with the Edgeswitch. Open for suggestions how to max throughput though.
I'm all ears and open for suggestions on how to optimise for better performance and best practice.
For better understanding the actual topology, here is the full sanitized network diagram.
-
@Darkfall said in Question about network topology/Trunk:
I'm all ears and open for suggestions on how to optimise for better performance and best practice.
Unless you're doing this as I "learning experience", I'd say ditch all the VLANs for traffic between the edgerouter and pfSense. Then instead of having subnets 50, 60 and 99 (I assume all are /24), make them something like 0,1,2, with 3 as a bonus. Then route a /22 to pfSense, which will then sort out the various networks, instead of having to do it twice. This is called aggregation, where you try to minimize the number of routes to be configured.
-
@JKnott
And by aggregation i assume you are referring to link aggregation? Never had to deal with that but a good opportunity to dig into it I guess :) -
No he is talking about simple route summary... If use your networks all that fall into same larger subnet then all you need to do is route that specific cidr
so 192.168.0, .1, .2 and 192.168.3 could all be summarized with 192.168.0/22
-
@johnpoz said in Question about network topology/Trunk:
No he is talking about simple route summary... If use your networks all that fall into same larger subnet then all you need to do is route that specific cidr
so 192.168.0, .1, .2 and 192.168.3 could all be summarized with 192.168.0/22
Or more to the point, aggregation of multiple networks allows the routes to be summarized. Many years ago, way back in the dark ages, they pretty much renumbered Europe, to reduce the size of routing tables. The buying and selling of IPv4 address blocks is aggravating the situation, as some of the blocks are being moved out of where they can be summarized.
-
@johnpoz
Aha, supernetting, loved child has many names. Ok then I got it.
Pardon for my lack of experience. I have a fairly good grasp of the concepts though. what benefit would that way of doing things give compared to the earlier suggestion on just adding the vlans on pfsense and have ospf/static routes update the routing tables between the two? -
@Darkfall said in Question about network topology/Trunk:
what benefit would that way of doing things give compared to the earlier suggestion on just adding the vlans on pfsense and have ospf/static routes update the routing tables between the two?
With VLANs you have to route each subnet twice. First in the edgerouter and again in pfSense. With route summarizing, you route the entire summary at the edgerouter and then split up the individual subnets in pfSense. You also get simpler configuration throughout.
-
If you want to pass the routes via a protocol - go for it.. But sounded like you wanted route the L2 at pfsense as well with multiple wans.. Ie 3 different wan networks on pfsense?
Without natting, or host routing that leads to asymmetrical traffic..
If you have a downstream router, you connect the upstream and the downstream via a transit network.. You don't just connect the downstream router to all the upstream networks via different wan interfaces.. That would be just a freaking mess.
If you want to use a routing protocol to exchange the routes - sure, but its complication for no reason. Not like the downstream router is going to be adding routes out of the blue and you will want to know they are down there via a route being added via the protocol.
And you sure don't seem to have multiple paths to gte to the downstream networks, and you don't seem to have need for a failover via loss of a path, etc. etc.
You could get as simple as using some large cidr on your top networks.. Say using a /20 which would give you lots of room for growth of more networks their, and then a /20 for your downstream networks, etc. But sure if you want to run bgp or something to play with - have at it.. Your still going to connect them via a transit network(s)..