LAN routing issues.



  • Greetings everyone!

    I recently decided to add a L3 switch to my home network to reduce the stress on my pfSense box and make things little easier to manage but I run into a weird routing issue between my VLAN's.

    My network design is as follows there are two LAN's left on the pfSense box called "Home" and "Transfer" both have their own Intel NIC's and any/any/any FW rules in addition to that static routes were created to carry traffic to the other 10 VLAN's located behind the L3 switch. The issue I am having is that when ever I attempt to form a secure connection be it SSH or SSL from my PC in the "Home" network to any host behind the switch I won't get a connection or it will drop a few minutes after I have managed to get one, unsecured traffic flows without any issues.

    Any ideas?


  • Rebel Alliance Global Moderator

    Where are you other vlans in this drawing, you show a hypervisor vlan?  Is that also a transit network? Like between your pfsense and cisoc?

    What are the network address schemes you are using and are you tagging any traffic in the switch or in esxi.  Are all your vlans in esxi host?  Or do you have some hanging off the cisco?

    You mention that home and transfer have their own nics, so I assume your not tagging anything, and your using transit network.  But your connection that starts and then drops points to a asynchronous problem.



  • @johnpoz:

    Where are you other vlans in this drawing, you show a hypervisor vlan?  Is that also a transit network? Like between your pfsense and cisoc?

    What are the network address schemes you are using and are you tagging any traffic in the switch or in esxi.  Are all your vlans in esxi host?  Or do you have some hanging off the cisco?

    You mention that home and transfer have their own nics, so I assume your not tagging anything, and your using transit network.  But your connection that starts and then drops points to a asynchronous problem.

    All the addressing follows a 172.17.x/24 model where X is the VLAN ID number and all of the remaining VLAN's are located on the switch and they have SVI's that use the pfSense ip on the transfer VLAN as a GW. There is no tagged traffic in the network apart from the hypervisor trunks that are located behind the switch.

    The thing that baffles me most about this issue is that it only appears when you are forming a secure connection from home vlan to any host in any vlan behind the switch be it one of the hypervisors with a trunked interface or simple PI box on traditional interface.


  • Rebel Alliance Global Moderator

    " that use the pfSense ip on the transfer VLAN as a GW."

    Huh??  How is that going to work - the gateway of any specific network/vlan would be an IP on that network/vlan.

    Do you mean they have a svi on the cisco switch in that specific vlan, and the gateway off the layer 3 switch is using the IP of pfsense in the transit network.  That is correct, but that is not how your statement reads.

    What are you rules on pfsense, and routes?  Are you pushing something out a specific gateway? What does this hypervisor trunk?  So you have vms in multiple vlans on there?

    So lets say you have 172.7.100 as vlan, and 172.17.110, and 172.17.120, 172.17.130..  These all point to say 172.17.x.1 as their gateway which all resides on the switch, except for the network that is hanging off pfsense, this 172.17.x.1 sits on pfsense.  And then you have a transit of say 192.168.0.0/30

    So lets see your firewall rules for your home vlan and your transit network and your routes on pfsense.  So attached is how I would see your network, basically your esxi host is just switch with vlans hanging off of it that you have a trunk connecting that to your layer 3 cisco switch.  Where the vlans on that switch are all pointing to the svi on the cisco layer 3 for their respective vlans.

    Is this correct?