4. Enabling Routing on Cisco 3750 with Virtual PFSense

Enabling Routing on Cisco 3750 with Virtual PFSense

  • P

    I am in the process of familiarizing myself with the Cisco IOS and have a Cisco 3750 (with routing functionality).  Please see attachment for current working network setup.

    I am trying to enable IP routing on the 3750 and only route internet traffic through to the Virtual PFSense box.  I have successfully setup IP routing and ACLs to prevent vlans from talking on the switch.  However, I am running into issues determining how to get the switch to forward traffic onto the Virtual PFSense box.  I attempted to utilize RIP between the switch and PFSense, but was only able to get access from VLAN100 (even if shutting off all ACLs) to the PFSense VLAN100 Interface.  The other 3 VLANs did not communicate at all.  Can anyone provide any insight as to what may be the issue?

    Thanks in advance.

    0
  • Netgate

    Do this.


    0
  • P

    Thanks for the image.  This makes perfect sense in a physical setup.  However as I have the PFSense box in a VM and only have 1 NIC attached to the Hypervisor it needs to be a trunk (there are other VMs utilizing VLANs) and therefore has no IP address assigned to it on the switch.

    0
  • B

    Are you sure you have a L3 image on that C3750 ?
    If yes , do you have "ip routing" set in the config ?

    In the "Old days" in a L2 image , IOS would only allow one "interface vlan xxx" to be active.
    Even though it allowed more than one "interface vlan" to be defined it would put the extras in a shutdown state.

    /Bingo

    0
  • Netgate

    So make it a trunk.

    0
  • P

    I do have a L3 image on the switch with IP routing enabled.  Each vlan interface is configured with an IP and is active.

    The last time I attempted the change I was able to ping the PFSense VLAN100 interface from the switch.  However I was unable to ping PFSense VLAN200 or VLAN201 interfaces from the switch.

    Should I still have subinterfaces on the PFSense side or should it be setup as a single interface instead?

    0
  • Netgate

    Look at the diagram I sent again.

    Either the switch does the routing or the firewall does the routing or it can be a combination of both for different, but not the same, networks/VLANs.

    Look at the transit network and the routes there more closely. Deduce the routing table on each device.

    Look at it and think about the path a packet will take:

    From Host A to Host B

    From Host A to Host C

    From Host A to a host on the Internet (say 8.8.8.8)

    At each hop look at the routes and gateways and determine what will be the next hop for the packet.

    It really does not matter if it is virtual. You will need a VLAN to attach ONLY the transit network interfaces on pfSense and the switch. Whether pfSense needs to be tagged or untagged depends on how you configure the vswitch and the interfaces assigned to the pfsense guest.

    0
  • A

    @pvr2002:

    I am in the process of familiarizing myself with the Cisco IOS and have a Cisco 3750 (with routing functionality).  Please see attachment for current working network setup.

    I am trying to enable IP routing on the 3750 and only route internet traffic through to the Virtual PFSense box.  I have successfully setup IP routing and ACLs to prevent vlans from talking on the switch.  However, I am running into issues determining how to get the switch to forward traffic onto the Virtual PFSense box.  I attempted to utilize RIP between the switch and PFSense, but was only able to get access from VLAN100 (even if shutting off all ACLs) to the PFSense VLAN100 Interface.  The other 3 VLANs did not communicate at all.  Can anyone provide any insight as to what may be the issue?

    Thanks in advance.

    1. Decide whether you want cisco switch to route between vlans and route all the traffic to pfsense through a interconnect network ( pink colored in Derelict's diagram) or (2) .

    In this case (1)  you need to have VLANs created on the L3 switch, assign ports to VLANs , enable ip routing by configuring a routed port on L3 switch, static route on L3 sw to route all traffic to the transit IP of pfSense. On Pfsense you also need to add static routes to all your vlans  through pfsense transit IP address. ( otherwise routing won't work). In this case you also have to configure DHCP helper or  server on each L3 interface …. or use static IP addresses.  Also configure outgoing  rules on pfSense to allow traffic. Don't use routing protocols only if you have multiple network with multiple routers...

    2. Use L3 sw as a L2 sw ( similar to your drawing , create vlans, assign ports to vlans, create trunk ports  on L3 sw  and on vSwitch + pfSense, configure vlan interfaces on pfSense - LAN  or wan ( for wan you also add gateway IP address), enable dhcp on  each interface , enable outgoing rules on each vlan ... .

    If you have a small network I would recommend to route all traffic to pfsense box ( 2)  so you can also inspect inter vlan traffic if you wish ( from security perspective).

    Check this topic also : https://forum.pfsense.org/index.php?topic=57239.0

    you can dump  ...  show run conf

    BR,
    Adrian

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy