VLAN - Member - Just L2

  • Basically I'm thinking of using PFSense as a L2 Gateway…

    Using a Core switch to do the VLAN routing and the PFSense as the Edge Firewall & NAT.

    Center of the network in a lab building will be a 48port switch with most buildings being connected directly to it.

    Other buildings primarily wireless but wired to 24 port in each fiber uplink to Lab.

    VLANs and iprouting on switch.

    From what I see - I can't do DHCP on pfsense if it is not doing the vlan routing correct?
    Don't see DHCP unless I give the VLAN on pfsense an IP address...
    But when I give it an IP address it automatically sets up default routing for that VLAN vs just being a member and being able to untag/tag its traffic.

    I can have the switch do the DHCP scopes - will work - but its only a 1920-48G so not very advanced but works for our needs.

    I know I could just do a larger /8 /16 subnet and not have to assign the vlans to the pfsense for IPRouting - however adding the vlans will give me the ability to do traffic shaping on each VLAN if I understand correctly - is that Correct?

    INet comes from an Edge building and planning to just place the PFSense in that building vs building a non-routed vlan back to LAB and placing pfsense there - just seems be adding too many failure points for my "short fuse"...

  • LAYER 8 Global Moderator


    If your going to use pfsense as your edge/nat have some L3 core switch do all your intervlan routing.. Why do you have to do anything with pfsense and the vlans?  The only network pfsense would be connected to would be the transit network you setup between it and your downstream router.

  • reason being is it is possible at that edge - Using a PFSense with multiple GBit Ports

    • Trunk Not necessary just was wondering if possible..

    • would have preferred for it to handle DHCP but see that isn't possible if it is not handling the Routing for the VLANs correct?

    • Just have it on the transit Network - agreed - just need to make sure add the routes for the other vlans so it knows where to send the traffic…  or yes use /16 if networks are within the B ranges - just prefer the routed method sometimes.

Log in to reply