Cisco Layer3 switch and PFsense setup
-
Hey PFsense brothers and sisters, I need some wisdom on getting my environment setup. Thanks for taking the time to read this newb's post.
I am working on building out virtual some networks on my XCP-NG server and will use PFsense as my firewall hosted on VM. I have a Cisco layer 3 switch (3750) that I want to use for Intervlan routing with 3 vlans:
(XCP-NG ports are Vlan tagged)
3750
ip routing enabled
vlan 100 SVI 192.168.1.0/24
vlan 200 SVI 192.168.2.0/24
vlan 600 SVI 192.168.6.0/30 (transit network from switch to PF)..
ip route 0.0.0.0/0 192.168.6.2 (pf opt int)When configuring interfaces on PFsense I do not see any Vlan capable interfaces. Any thoughts on why I cant see Vlan capable interfaces on the Pfsense side?
I followed this guide on configuring the Layer 3 switch and PFsense:
https://greigmitchell.co.uk/2019/08/configuring-intervlan-routing-with-a-layer-3-switch-and-pfsense/After following this guide the switch and firewall cannot communicate.
Is it best to have the switch handle vlans? or set them up in Pfsense? -
@BocajPF Well, if you terminate vlans at the xcp-ng level, you will just need to add separate interfaces to pfsense
Is there a reason that you need intervlan traffic handled by the switch?
and if yes, do you also need filtering among vlans? -
Did you create any VLANs? You have to add them to the parent interface.
-
Hey @netblues, I do not need the L3 switch to handle routing..it seemed like a obvious choice but the implementation is not working for me so far..filtering would be great either via the switch or preferably PF sense..
-
@JKnott I do have Vlans created in the cisco switches but cant create vlans/see vlan capable interfaces in PFsense..
-
@BocajPF So the guide you followed is irrelevant.
Its much better to have everything in one place for filtering.
a. you need to remove any intervlan routing from cisco.
b. Decide how many trunk ports you need
c. Either remove vlan handling from the virtualization level, or create as many interfaces as vlans and add them to pf vmIf you remove vlan support from host, then you assign vlans on pf and then add (tagged) interfaces.
On the cisco switch just create trunk(s).
Both approaches work well. -
@BocajPF said in Cisco Layer3 switch and PFsense setup:
@JKnott I do have Vlans created in the cisco switches but cant create vlans/see vlan capable interfaces in PFsense..
Did you click on Interfaces > Assignments > VLANs, where you can add one?
-
@JKnott said in Cisco Layer3 switch and PFsense setup:
Did you click on Interfaces > Assignments > VLANs, where you can add one?
attaching pics of interface config and route info:
not seeing vlan interfaces on the pf sense side..let me know if there is any more information that would help grasp where im at.
-
@BocajPF You need to change virtual ethernet configuration at the virtualization host.
You did say that you have vlans configured at that level. -
thanks @netblues and @JKnott for your feedback. I focused on the vm host (XCP-NG) network config and found resources for enabling vlan interfaces in xen..I can now see vlan capable interfaces when creating vlans in PFsense.
Enable Vlan interfaces:
http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.htmlXCP Trunking:
https://xcp-ng.org/docs/guides.html#vlan-trunking-in-a-vmnow time to get this vlan routing setup..