Connecting a Brocade Layer 3 Router to pfSense



  • I have a Brocade Layer 3 router connected to a pfsense firewall.  I’ve configured the Brocade Layer 3 device to handle the routing of the VLans and DHCP duties.  The problem I’m having is that clients connected to different VLans other than the VLan connected to the LAN interface on the pfSense firewall can’t access the Internet.  Also the port connected to the pfsense box only works in untagged mode.  I have created static routes for each vlan on the pfsense firewall and also the same vlan that’s on to the brocade router interface connected to the pfsense.

    Brocade Router:
    Vlan 2: 10.2.0.1/24
    Vlan 3: 10.3.0.1/24
    Vlan 4: 10.4.0.1/24
    Vlan 1000: 10.0.0.2/29

    Static route:  0.0.0.0 0.0.0.0 10.0.0.1

    PfSense Firewall:
    VLan 2
    Lan Interface: 10.0.0.1/29

    Internet connects to a cable modem
    Cable Modem connects to pfSense firewall
    pfSense firewall connects to the Brocade Layer 3 router which handles DHCP & VLans.


  • LAYER 8 Global Moderator

    if you have a downstream router then the connection to pfsense would be a transit network with NO devices on this network.  This network doesn't care about your downstream vlans or tags.  This is only needs to be simple untagged connection.


  • LAYER 8 Netgate

    I don't understand why you show two VLAN 2s on different subnets.

    If you did not enable manual outbound NAT, pfSense should pick up the downstream static routes and add NAT rules for them, but you need to verify that has happened. If not, enable hybrid mode and add them.  If you have enabled manual outbound NAT, you need to add these rules.

    You do not need a static route for 10.0.0.1/29. It is a connected subnet and has a route.



  • Thanks for the quick reply guys but to make sure I'm on the same page.  Since the last post I factory defaulted the pfSense firewall.  When I reconfigured the firewall I selected (DHCP) for the WAN Interface.  For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same. 
                            Brocade Router:
                            Vlan 2: 10.2.0.1/24
                            Vlan 3: 10.3.0.1/24
                            Vlan 4: 10.4.0.1/24
                            Vlan 1000: 10.0.0.2/29

    Static route:  0.0.0.0 0.0.0.0 10.0.0.1

    In a previous comment someone mentioned that the connection to the pfSense firewall should be an "untagged" port.  My question is what vlan do you untagged the port to (port connecting to the pfsense firewall).  As I stated before my problem was traffic from other vlans other than vlan 1000 wasn't getting to the internet.  In the firewall i left the default config for NAT and the default rules for the Interfaces.  Still no internet for clients on vlan 2 -4.  I need all clients from all vlans to be able to reach the internet. Listed below is the version of pfSense I'm running.

    pfSense Firewall:
    Version:  2.3.2 release (AMD64)
    Free BSD 10.3 release p5


  • LAYER 8 Global Moderator

    At layer 3 tagging doesn't mean anything..  Thought you said this was layer 3 switch doing the routing.

    Doesn't matter what vlan the transit network is.  But yeah it would be a different vlan on your switch then the rest of them..  So what are the IDs of 2,3,4 and 1000 are none of them 1?  You would put the port connected to pfsense lan on a vlan ID that is not the same as an of your others, be it 1 be it 10 whatever.. Its not tagged anyway..


  • LAYER 8 Netgate

    For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same.
                            Vlan 1000: 10.0.0.2/29
                          Static route:  0.0.0.0 0.0.0.0 10.0.0.1

    Yeah, that is wrong. the netmasks should both be /24 or both be /29.

    Can you ping 10.0.0.2 from pfSense and 10.0.0.1 from the switch?

    Did you create a pfSense gateway for 10.0.0.2?

    Did you route 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24 to that gateway on pfSense?

    Does the firewall rule on your transport interface on pfSense (LAN) allow traffic sourced from those subnets?

    Does outbound NAT on WAN contain rules to map those subnets to WAN address?

    That's really all that is necessary. Check all those things.

    I would, personally, make some design changes:

    My transport network would not be associated at all with the networks on the switch. I would make it something random like 172.18.218.224/29.  I would probably not use 10.0.0.0/8 for anything, but if I did I would make it something random like 10.253.192.0/18. I would route that supernet to the switch, pass traffic from that supernet on LAN, and add outbound NAT for that supernet on WAN.

    That would enable you to add networks 10.253.192.0/24 through 10.253.255.0/24 on the switch at will without making any changes to the firewall. Assuming 64 /24 networks is enough for the project's maximum anticipated requirements.


Log in to reply