Networking Noob needs help connecting SG300 to pfSense
-
Hey guys, first, many thanks to the pfSense community for all the posts & tutorials in building a pfSense firewall. So far, I am loving it. But I need some more help…I've tried researching & experimenting this but given my novice level experience and getting easily confused, any direct tips would be helpful. In addition, when I figure all this out, I'm going to create a write up of this so that your entry level noob can do this too.
So here is what I'm trying to accomplish: Modem to pfSense to SG300-10. I would like to setup my SG300 to let it be the VLAN's brain so I can get them to talk to each other later on if I want... I've created VLANs but cannot get this to communicate with my pfSense. I would also like the switch to handle auto DHCP assignments for vlan devices directly plugged in.
pfsense layout:
WAN- eth0
LAN - eth1 (192.168.1.1/24) plugged into port 1 of the SG300
eth2 & 3 unused.SG300:
VLAN 1 (default) (192.168.1.199)
VLAN 10 (192.168.10.1) Management
VLAN 20 (192.168.20.1) Primary
VLAN 30 (192.168.30.1) GamingI would like port 1 to be the main line between the pfsense and sg300
port 5 for VLAN 10
Port 6 for VLAN 20
Port 7 for VLAN 30So this is where I'm stuck at... any tips? Many, MANY thanks!!!!
-
Do you want the swutch to route between the VLANs or do you want it to essentially be a layer 2 switch and let pfSense do the routing between VLANs? Or a combination of both?
-
Do you want the swutch to route between the VLANs or do you want it to essentially be a layer 2 switch and let pfSense do the routing between VLANs? Or a combination of both?
I want the switch to do all the routing… at some point, I may need to do a combo for a VPN connection but to not overcomplicate things, I'll just choose not to do it at this point.
-
Then the transit network is what you want. Just one interface to the switch. That image should have everything you need.
-
Then the transit network is what you want. Just one interface to the switch. That image should have everything you need.
Exactly…how do I get there? This is where I'm getting lost... So just my LAN port is enough to connect the VLANs? I cannot currently get VLANs to access the internet
-
Look at all of the comments. Everything you need to do is there.
Impossible to say what you have missed out of everything that needs to be done unless you start posting more information about what you have done.
-
And if you plan on putting hosts on LAN you don't want to use LAN as your transit network. Use a small transit network with no other hosts on it to get between the switch and the firewall. Just like in the diagram.
-
Best bet: Did you put your switch in L3 (router) mode already and assigned IPs? Factory setting is L2 (switch) mode.
…hope I didn't steal the learning curve, though.
-
In L3 mode… And in my original plan, I wasn’t planning on other hosts on the LAN…
This stuff is getting really complex for me despite being usually able to figure this stuff out. Again, total noob with all this. I googled how to setup transit network with pfsense but I was given a lot of hard to understand forum posts.
In my first post, I explained to the best of my ability of what I’m trying to accomplish. Not trying to be difficult but I've reread all the comments and I'm still confused. I really appreciate all the responses but what other information can I give you to get a more clearer understanding of how to proceed.
Or if there is some better step-by-step suggestions you could point me too, that would help! Many thanks.
-
Create a gateway for the switch. System > Routing, Gateways
Route the networks behind the switch to that gateway. System > Routing, Static Routes
Make pfSense the default gateway for the switch. Switch configuration ip route 0.0.0.0 0.0.0.0 192.168.1.1
Make sure the LAN rules pass the traffic sourced from all of the downstream networks (the same networks that are routed to the switch). Firewall > Rules, LAN
Make sure outbound NAT will NAT the traffic out WAN for the downstream networks. Firewall > NAT, Outbound
(This is all the same information in the boxes in that image. It really is that simple.)
-
I use a sg300, be happy to post up the actual configs you would use, etc..
But lets be clear.. You want to do L3 on sg300.. You want it to route between the vlans? This removes pfsense ability to firewall between segments. Unless you need the switch bandwidth between the vlans I would not suggest you do this. Just let pfsense do all the firewall and routing and just use sg300 as Layer 2 switch. Even if you have it in L3 mode you can still just use it as L2..
I use mine as just L2 I have not need for downstream router.. Pfsense provides more than enough bandwidth between my segments.. And its running on a old hp n40l as a VM.. I see about 400mbps between segments..
So why is you want L3?? If that is really want you want I can draw up some hold my hand follow the bouncing ball instructions with pictures.. But if you are new to networking and just want the ease of being to firewall and route all on pfsense I would do it as L2.
You could then either just multiple interfaces on pfsense for uplinks this will increase your available and possible bandwidth between your vlans vs vlans on the same physical interface if you have the ports available on your switch. Or you could just trunk everything on 1 port between pfsense and sg300..
Let me know and be happy to draw up – this is how you do it with picture how too ;)
The one thing missing out of Derelicts drawing is the L2 and multiple segments..
-
SG300: Port 1: Trunk, PVID1, Port VLAN Membership 1UP,10T,20T,30T
SG300: Port 5: Trunk, PVID10
SG300: Port 6: Trunk, PVID20
SG300: Port 7: Trunk, PVID30
"Trunk" is the Default setting. You can noodle with this, but Trunk always works….
SG300: DHCP: The SG300 manual has a pretty good writeup
SG300 Routing: The SG300 manual has a pretty good writeupWith the PVID set to 10, for example, any untagged packet ingressing port 5, will be tagged with VLAN 10. This is the KISS way. Keep-It-Stupid-Simple. However, if your end devices are VLAN-aware, and they can send VLAN tagged packets, you can alternatively leave the PVID at 1 and add Port VLAN Membership of 10T and remove 1UP. All your devices attached to port 5 will need to be configured to tag their packets with VLAN10, and untagged packets will be dropped in this configuration.
pfSense: Interface: LAN: it looks like you already have this set, this is your Next Hop router or Gateway for your SG300
pfSense: VLAN: add VLAN10, 20 and 30 to the LAN interface
pfSense: add the new interfaces under Interface Assignments
pfSense: Enable but don't add IP addresses and particulars to the new interfaces with the Interface hyperlink, as the SG is handling L3 duties in your scenarioWith 90% confidence, if something isn't working, the problem is the routing/forwarding setup in the Cisco. Troubleshoot the 2 components, SG300 and pfSense, separately.
You can test to see if pfSense is working by simply assigning your workstation with a 192.168.1.2/24, GW of 192.168.1.1 and 8.8.8.8 as the DNS, and plug it directly into the LAN interface of pfSense. You can also tag your workstation to make sure VLANs work, with the appropriate IP settings and tagging on your workstation and pfSense. pfSense in your desired config is doing very little.
I agree with johnpoz. You're giving up a lot of pfSense functionality if the SG300 is doing all the heavy lifting in your network. I have a lot of SG300-10s, 20s and 28s in my network, all of them L2, mostly as an access devices for TVs, game consoles, Sonos, Tivo devices, labs, etc. spread throughout my home. I aggregate all the SG300s with an HP stackable and use some of it's L3 functionality, mostly multicast routing, since pfSense doesn't do that so well. L3 on the SG300 works just fine, but the forwarding performance (the only benefit I can imagine) doesn't outweigh the convenience of a single view, flexibility and management of your network that pfSense can provide. Plus, with the proper application of CPU clock speed, you won't be able to tell the difference between the SG and pfSense packet forwarding performance.
Your VLAN plan of record is sound, and similar to mine. The fact of the matter is VLANs create an isolated broadcast domain and nothing more. I want to keep my individual VLAN broadcast domains separate UNTIL absolutely required, meaning, until I need to forward a packet from my LAN segment to my Management segment, for example. Otherwise I want all my LAN traffic to stay on my LAN segment without interacting with anything else. The switch in your scenario, is doing the same thing as pfSense - there's really no difference from a functional perspective.
In my scenario, with pfSense at the core of the network, I can now firewall/filter any packet that shouldn't traverse LAN>MGMT. I have a single DHCP console to manage all DHCP or static IP addressing and don't have to muck around with DHCP on the switch or DHCP Relay. For a GUEST network, which you'll appreciate at some point in time, I can set firewall/DHCP parameters and direct all traffic away for my internal resources. Lots more goodies, flexibility and ease of use advantages with pfSense versus any switch. For example, sadly, a lot of consumer specific devices still utilize UPnP, like it or not. With PfSense, you can at least control where that crap goes, same with Avahi and Zeroconf/Bonjour.
-
^ well stated.. When you use a downstream router or L3 switch doing routing then you move the core to that device vs having your edge and core on the same device (pfsense).
When you let pfsense handle the edge (lan(s) to internet) and all your intervlan traffic you greatly ease the management of all aspects of your network. As networkguy mentions if you just use pfsense as your edge all of your dhcp will have to be one on your sg300 or some other dhcp server since pfsense can not provide dhcp vs relay. It has to have an interface in the L2 its going to provide dhcp too.
Creating rules between your vlans is going to be much harder to do then just simple firewall rules on pfsense - ACLs are way more complicated to setup then how easy it is to do on pfsense.
While there are plenty of advantages to letting pfsense do all your routing in your network, I really can not think of any reason to use a downstream router (L3) in any sort of smb or home network/lab.. When your talking 1000's of devices on hundreds of vlans then sure this is normally when you would use a L3 switch to handle the heavy lifting of that.. In such a scenario you most often route the traffic of vlans that need some sort of control between them to your firewall vs having handle off that sort of stuff with complicated ACLs on the L3..
-
I use a sg300, be happy to post up the actual configs you would use, etc..
But lets be clear.. You want to do L3 on sg300.. You want it to route between the vlans? This removes pfsense ability to firewall between segments. Unless you need the switch bandwidth between the vlans I would not suggest you do this. Just let pfsense do all the firewall and routing and just use sg300 as Layer 2 switch. Even if you have it in L3 mode you can still just use it as L2..
I use mine as just L2 I have not need for downstream router.. Pfsense provides more than enough bandwidth between my segments.. And its running on a old hp n40l as a VM.. I see about 400mbps between segments..
So why is you want L3?? If that is really want you want I can draw up some hold my hand follow the bouncing ball instructions with pictures.. But if you are new to networking and just want the ease of being to firewall and route all on pfsense I would do it as L2.
You could then either just multiple interfaces on pfsense for uplinks this will increase your available and possible bandwidth between your vlans vs vlans on the same physical interface if you have the ports available on your switch. Or you could just trunk everything on 1 port between pfsense and sg300..
Let me know and be happy to draw up – this is how you do it with picture how too ;)
The one thing missing out of Derelicts drawing is the L2 and multiple segments..
^ well stated.. When you use a downstream router or L3 switch doing routing then you move the core to that device vs having your edge and core on the same device (pfsense).
When you let pfsense handle the edge (lan(s) to internet) and all your intervlan traffic you greatly ease the management of all aspects of your network. As networkguy mentions if you just use pfsense as your edge all of your dhcp will have to be one on your sg300 or some other dhcp server since pfsense can not provide dhcp vs relay. It has to have an interface in the L2 its going to provide dhcp too.
Creating rules between your vlans is going to be much harder to do then just simple firewall rules on pfsense - ACLs are way more complicated to setup then how easy it is to do on pfsense.
While there are plenty of advantages to letting pfsense do all your routing in your network, I really can not think of any reason to use a downstream router (L3) in any sort of smb or home network/lab.. When your talking 1000's of devices on hundreds of vlans then sure this is normally when you would use a L3 switch to handle the heavy lifting of that.. In such a scenario you most often route the traffic of vlans that need some sort of control between them to your firewall vs having handle off that sort of stuff with complicated ACLs on the L3..
Wow, thank you for feedback… OK, you talked me into having pfSense handle the VLANs. With this being the case, how should I proceed from here? Any noob friendly instructions and/or drawings is beyond appreciated. Here is my updated VLAN plan:
pfsense layout:
WAN- eth0
LAN - eth1 (192.168.1.1/24) plugged into port 1 of the SG300
eth2 & 3 unused.pfSense:
VLAN 10 (192.168.10.1/24) Management (Enabled & Setup with DHCP)
VLAN 20 (192.168.20.1/24) Primary (Enabled & Setup with DHCP)
VLAN 30 (192.168.30.1/24) Gaming (Enabled & Setup with DHCP)SG300:
VLAN 1 (default) (192.168.1.199/24)
VLAN 10 (192.168.10.2/24) Management (Already setup)
VLAN 20 (192.168.20.2/24) Primary (Already setup)
VLAN 30 (192.168.30.2/24) Gaming (Already setup)
Port 1 for main connection to pfSense
port 5 for VLAN 10
Port 6 for VLAN 20
Port 7 for VLAN 30Thank you!!!!
-
Remove all of the IP addresses from the VLANs on the switch. With those in place the switch will be layer 3 on those VLANs and will route traffic between them. You only need one management IP address on the switch.
-
Your setup on your sg300 for the port that connects to lan (eth1) on your sg300 would be simple trunk port.
Example
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500,600
switchport trunk native vlan 20I am not using vlan 1 to this vlan interface in pfsense. I am using vlan 20 as the native untagged vlan in my setup. But you can use 1 there vs the 20 I have.
You also have ports unused on your pfsense, you could leverage them for vlans without having to tag.. As long as you have more ports open on your sg300 you could use for the uplinks to pfsense for those vlans/networks.
What are you going to use vlan 1 for exactly? Is this going to be the vlan you use to manage your switch? Why do you have 10/24 stated as being management?
-
Remove all of the IP addresses from the VLANs on the switch. With those in place the switch will be layer 3 on those VLANs and will route traffic between them. You only need one management IP address on the switch.
Done.
Your setup on your sg300 for the port that connects to lan (eth1) on your sg300 would be simple trunk port.
Example
interface gigabitethernet3
description "esxi wlan trunk"
switchport trunk allowed vlan add 100,200,300,500,600
switchport trunk native vlan 20I am not using vlan 1 to this vlan interface in pfsense. I am using vlan 20 as the native untagged vlan in my setup. But you can use 1 there vs the 20 I have.
You also have ports unused on your pfsense, you could leverage them for vlans without having to tag.. As long as you have more ports open on your sg300 you could use for the uplinks to pfsense for those vlans/networks.
What are you going to use vlan 1 for exactly? Is this going to be the vlan you use to manage your switch? Why do you have 10/24 stated as being management?
No idea…so if I get rid of VLAN 1, what IP address will I use to connect to the switch? 10/24 ins't the preferred method? I'm going into this pretty much dumb as a mule. How do you have yours setup?
