Pfsense and vlans and switches - which path will packages take?



  • Hi everybody,

    I am a little bit confused, maybe someone could point me to the right direction…

    A little example:
    Let's say we have pfsense box, WAN whatever, but LAN NIC is configured for two VLANs, and ony VLANs are used.
    Then LAN port is connected to a switch, switch is configured properly, as far as it is working
    In this example there are 4 nodes that are connected to the switch, but in different VLANs.
    All VLANs tagged, no untagged ports and so on.

    pfsense:
    LAN -> VLAN100 + VLAN200

    switch:
    port 1:VLAN100+VLAN200 -> pfsense
    port 2+3: VLAN100 -> NODE1A + NODE1B
    port 4+5: VLAN200 -> NODE2A + NODE2B

    Initial configuration is done, IP ranges do not matter, VLAN100 there is no traffic allowed between VLAN100 and VLAN200 except lets say HTTP port 80, both directions.

    My question is about the "traffic flow", which path will be used for traffic from VLAN100:VLAN200?

    Within each VLAN it is pretty clear: if there is traffic from NODE1A to NODE1B the packets will go to the switch and then from switch to destination node.
    "INTER VLAN":
    NODExA>SWITCH>NODExB
    Same for all outgoing traffic to WAN: NODEx > SWITCH > PFSENSE > WAN

    But what is about the (allowed) traffic FROM VLAN100 to VLAN200?
    Will every packet take the "long" distance e.g. NODE1A > SWITCH > PFSENSE > SWITCH > NODE2B?
    Basic L3 routing on the switch does not solve the problem (I guess), because I want to control which traffic passes VLAN "barrier".

    Or is there a way that a switch gets firewall information to decide if it is allowed to route a packet directly???

    How does this work in larger environments (spine/leaf or core/distribution/access switch architecture  and so on)?

    I assume I missed something, obviously something important...

    Sorry if this question is too stupid...

    Thank you
    martin



  • The switch cannot do firewalling on behalf of the firewall. Like you said, you can do basic L3 routing on the switch, but if you want advanced features you have to go through the firewall, which means the "long distance".



  • You mention L3 routing on the switch.  Do you actually have a L3 switch or do you have a L2?

    If you have a decent L3 switch you can accomplish this without going the Long Distance.  Just setup routing between vlans and limit the traffic with ACLs on your switch.  Then the traffic moving between hosts in VLAN100 and VLAN200 never need to hit your edge router.

    At that point you could get rid of the VLANS in your pfsense setup and use a "transit network" to connect your L3 switch to pfSense.

    If you need a good L3 switch for SOHO use the cisco SG350 is great.  Lots of features.



  • If you have a decent L3 switch you can accomplish this without going the Long Distance.

    And the other benefits from doing that is freeing the pfSense box for more or other activities on top you
    will be able to get a second feet to stand on, if the pfSense box is failing normal work inside of the LAN
    can be done within, so no interrupt for all employees will be there. And all with wire speed.

    Just setup routing between vlans and limit the traffic with ACLs on your switch.

    QoS, ACLs and MacSec are often here your friends to get a better balanced network load and flow,
    gaining the security up and be able to regulate the packet flow.

    Then the traffic moving between hosts in VLAN100 and VLAN200 never need to hit your edge router.

    Only if there are not servers inside of the DMZ, that must be touched from the LAN side.

    At that point you could get rid of the VLANS in your pfsense setup and use a "transit network" to connect your L3 switch to pfSense.

    Good point, I use it also in that direction.

    If you need a good L3 switch for SOHO use the cisco SG350 is great.  Lots of features.

    Cisco SG350 series or the D-Link DGS1510 will be fine and really cheap to get.