Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco environment with multiple VLANS and branch office VPNs

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 603 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slipstreams7
      last edited by

      We currently have 3 locations, all connected view IPsec site-to-site vpn tunnels to the main site. This main site has the topology shown below. I'd like to insert the PFsense as transparently as possible, so that it doesn't take over routing or disrupt our existing network, but is still able to filter and block as a firewall. Can anyone assist with where to put the PFsense in the topology and if there are any guides out there for preserving existing VLAN setup and site-to-site tunnels with PFsense?

      HQ site:

      WAN (internet) -> Cisco edge router -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

      Site 2:
      WAN (internet) -> Netgear router -> hosts

      Site 3:
      WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> hosts

      Thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "I'd like to insert the PFsense as transparently as possible"

        Insert it where, where are you wanting to do firewall?  Between your sites, between your vlans at your HQ.. site 2 and 3 don't have multiple vlans?

        Your planning on multiple pfsense?  at all 3 sites?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          slipstreams7
          last edited by

          I want to firewall internet activity at the HQ site first. The HQ site is the only one with multiple VLANs, the branches have single subnet networks and minimal number of hosts (only cameras at one of the sites). I will deploy a PFSense to each of the other sites at a later point.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Then you could put it between your router and your L3 in 2 different fashions as full router with a transit going to your edge router and a transit going to your L3.  Or you could put in bridge mode and use it as a transparent.

            I would go with routed mode, just because its more straight forward and less complex.

            You would just turn off its natting since I assume your edge cisco is currently doing the nat.

            Or you could just replace your current cisco edge with pfsense.  This would prob be the best option.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              I'd like to insert the PFsense as transparently as possible, so that it doesn't take over routing or disrupt our existing network,

              This could be done if you are bridging ports from the main router or WAN router to the pfsense and from the pfSense to the
              LAN switches. It is also called using the NICs and LAN ports in the "promiscuous mode" then your firewall will be absolutely transparent!

              It will be perhaps better of thinking to install a proxy server such Ngix or Squid is offering.

              but is still able to filter and block as a firewall.

              If you will not be using or installing strong enough hardware for the pfSense machines, you will ending up often together with or in;

              • massive packets loss
              • hard port flapping
              • packet dropping

              Can anyone assist with where to put the PFsense in the topology and if there are any guides out there for preserving existing VLAN setup and site-to-site tunnels with PFsense?

              Please read below.

              HQ site:WAN (internet) -> Cisco edge router -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

              WAN (internet) -> Cisco edge router -> put the pfSense here -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

              Site 2:WAN (internet) -> Netgear router -> hosts

              WAN (internet) -> Netgear router -> put the pfSense here -> LAN Switch -> hosts

              WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> hosts

              WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> put the pfSense here -> LAN Switch -> hosts

              Please note that the switches and routers here in that game play must be supporting then to be running in the promiscuous mode
              too, this action is like bridging ports together and this might be also producing often more trouble then getting something good out.

              Golden network rule: Route where you can and bridge only if you must

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Take your Cisco config line-by-line and recreate it on pfSense.

                There is no guide that you will find that will cover this situation. The problem description is not very well communicated. What is currently doing the tunnels? Why do you need to keep the Cisco in-place?

                Something like this:

                pfSense-Layer-3-Switch.png
                pfSense-Layer-3-Switch.png_thumb

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.