Routing Problems? Nat problems?

  • Hello guys, noob user here.

    I'm very new to networking in general, and im currently involved in this little (or that was it seemed at first) project in my work to deploy a Pfsense box into the office network to use squidguard for web filtering purposes.

    This is the actual network diagram:

    There's 5 Vlans in my network: Administration (1), Users (2), Servers (3), VoIP (4) and Wifi (5).
    We have two servers with Windows Server 2008 r2 and Active Directory. They take care of the DNS and the DHCP.
    The switchs core and server are layer 3 HP Procurve switches (2848 and 2824). They both are ip routing enabled, with the ip route set to (the TP-Link Load Balancer).

    My original plan was to swap the TP-Link Load Balancer (cuz it sucks anyway) and deploy in his place the Pfsense box.
    I used an old computer with two NICs, one as Wan, the other as Lan, and configured the Lan with the same IP adress of the Load Balancer ( and set static routes in Pfsense, and linked to the Wan gateway.
    I set the DHCP realy to the IP adress os the AD servers.

    The problems is there's no internet when I actually deploy the Pfsense box.
    I can't ping the box from the clients in the users Vlan2. But, from the CLI in the switches, I can ping successfully the Pfsense box and

    Dunno where's the problem.
    Routing? Nating?
    Like I said, im very new to networking and im still learning the ropes, so any help would be gladly taken! (oh, and sorry for the crappy english…)

    btw, in other post it was stated the best tihing to do was create another Vlan in the switch and in the Pfsense box for routing only the internt flow.
    But i'm not very sure is this is the way to do things in my case...

  • Well, no response to my problem, so I did the right thing to do, and search in other threads to find a possible solution.
    I made some progress, but now I'm facing a new problem.

    Sooo, I learned that using the L3 switch as a router in this case is called a downtream router.
    Also, leaving the routing job to the L3 switch means that there's no need to load vlans and interfaces in Pfsense. what is needed is a different vlan between the switch and Pfsense (a transit network).

    • I defined my transit network as in vlan 100.
    • Made the vlan 100 in my L3 switch, interface IP adress of with one port tagged.
    • Deleted all vlans in Pfsense, and created vlan 100 with interface IP adress
    • In routing, made a gateway pointing to the switch interface ( and marked as default.
    • Defined static routes so Pfsense can find the networks behind the switch. The networks fall under, so I made only one route with this adress and the gateway pointing the switch I made in the previous step.
    • In the switch, defined ip route as
    • Defined the rules to pass any in LAN, and in the interface of the vlan.

    Now, from a host, I can ping pfsense, no problem there.
    The thing is, there's a loop now between Pfsense and the swith.
    From a host, if a traceroute to it keeps jumping from the switch and pfsense.
    If I ping from Pfsense to, it says time to live exceeded error.

    I tried to change the gateway of the static route to WAN, but then the host can't ping anymore Pfsense, nor have internet access. But if I log into the CLI of the L3 switch, the switch can ping Pfsense AND

    Any ideas or help guys? I'm going bald pulling my hair with this…

Log in to reply