Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connecting a Brocade Layer 3 Router to pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      southern04
      last edited by

      I have a Brocade Layer 3 router connected to a pfsense firewall.  I’ve configured the Brocade Layer 3 device to handle the routing of the VLans and DHCP duties.  The problem I’m having is that clients connected to different VLans other than the VLan connected to the LAN interface on the pfSense firewall can’t access the Internet.  Also the port connected to the pfsense box only works in untagged mode.  I have created static routes for each vlan on the pfsense firewall and also the same vlan that’s on to the brocade router interface connected to the pfsense.

      Brocade Router:
      Vlan 2: 10.2.0.1/24
      Vlan 3: 10.3.0.1/24
      Vlan 4: 10.4.0.1/24
      Vlan 1000: 10.0.0.2/29

      Static route:  0.0.0.0 0.0.0.0 10.0.0.1

      PfSense Firewall:
      VLan 2
      Lan Interface: 10.0.0.1/29

      Internet connects to a cable modem
      Cable Modem connects to pfSense firewall
      pfSense firewall connects to the Brocade Layer 3 router which handles DHCP & VLans.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        if you have a downstream router then the connection to pfsense would be a transit network with NO devices on this network.  This network doesn't care about your downstream vlans or tags.  This is only needs to be simple untagged connection.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I don't understand why you show two VLAN 2s on different subnets.

          If you did not enable manual outbound NAT, pfSense should pick up the downstream static routes and add NAT rules for them, but you need to verify that has happened. If not, enable hybrid mode and add them.  If you have enabled manual outbound NAT, you need to add these rules.

          You do not need a static route for 10.0.0.1/29. It is a connected subnet and has a route.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            southern04
            last edited by

            Thanks for the quick reply guys but to make sure I'm on the same page.  Since the last post I factory defaulted the pfSense firewall.  When I reconfigured the firewall I selected (DHCP) for the WAN Interface.  For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same. 
                                    Brocade Router:
                                    Vlan 2: 10.2.0.1/24
                                    Vlan 3: 10.3.0.1/24
                                    Vlan 4: 10.4.0.1/24
                                    Vlan 1000: 10.0.0.2/29

            Static route:  0.0.0.0 0.0.0.0 10.0.0.1

            In a previous comment someone mentioned that the connection to the pfSense firewall should be an "untagged" port.  My question is what vlan do you untagged the port to (port connecting to the pfsense firewall).  As I stated before my problem was traffic from other vlans other than vlan 1000 wasn't getting to the internet.  In the firewall i left the default config for NAT and the default rules for the Interfaces.  Still no internet for clients on vlan 2 -4.  I need all clients from all vlans to be able to reach the internet. Listed below is the version of pfSense I'm running.

            pfSense Firewall:
            Version:  2.3.2 release (AMD64)
            Free BSD 10.3 release p5

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              At layer 3 tagging doesn't mean anything..  Thought you said this was layer 3 switch doing the routing.

              Doesn't matter what vlan the transit network is.  But yeah it would be a different vlan on your switch then the rest of them..  So what are the IDs of 2,3,4 and 1000 are none of them 1?  You would put the port connected to pfsense lan on a vlan ID that is not the same as an of your others, be it 1 be it 10 whatever.. Its not tagged anyway..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                For the LAN I selected (STATIC) with an IP Address of 10.0.0.1/24.  My configs on the Brocade router stayed the same.
                                        Vlan 1000: 10.0.0.2/29
                                      Static route:  0.0.0.0 0.0.0.0 10.0.0.1

                Yeah, that is wrong. the netmasks should both be /24 or both be /29.

                Can you ping 10.0.0.2 from pfSense and 10.0.0.1 from the switch?

                Did you create a pfSense gateway for 10.0.0.2?

                Did you route 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24 to that gateway on pfSense?

                Does the firewall rule on your transport interface on pfSense (LAN) allow traffic sourced from those subnets?

                Does outbound NAT on WAN contain rules to map those subnets to WAN address?

                That's really all that is necessary. Check all those things.

                I would, personally, make some design changes:

                My transport network would not be associated at all with the networks on the switch. I would make it something random like 172.18.218.224/29.  I would probably not use 10.0.0.0/8 for anything, but if I did I would make it something random like 10.253.192.0/18. I would route that supernet to the switch, pass traffic from that supernet on LAN, and add outbound NAT for that supernet on WAN.

                That would enable you to add networks 10.253.192.0/24 through 10.253.255.0/24 on the switch at will without making any changes to the firewall. Assuming 64 /24 networks is enough for the project's maximum anticipated requirements.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.