PfSense plus L2 Cisco SG200 - VLAN routing on pfSense / Transit Network Help



  • Thanks for the support from pfSense guru from this forum, I managed to setup a pfSense and Layer 3 Cisco SG300-28 where the VLAN routing was done by SG300.

    Now I would like to test out pfSense with Layer 2 SG200 where VLANs routing will be set in pfSense. When design the layout, I have several questions regarding the VLAN and transit network.

    Background Info

    • ISP connection > Bell Fibre internet via PPPoE past-through (Bell is using VLAN 35 for its internet). Fiber GPON connect to TP-Link MC220L media converter
      -  Bell > MC220L > pfSense WAN  > pfSense LAN
      -  pfSense WAN > em0_VLAN35 (network type = pppoe)
      -  pfSense interfaces > several VLANs below
        * WANpppoe (em0_vlan35 with pppoe)
        * LAN_VLAN199 (/29 subnet, 192.168.99.2 on pfSense)
        * LAN (re0)
        * LAN_VLAN10 (ESX VM Mgmt Kernel)
        * LAN_VLAN20 (ESX VM Network)
        * LAN_VLAN30 (ESX vMotion)
        * LAN_VLAN60 (ESX iSCSI)
    • FW Rules
          * VLAN 10, 20, 30, 60 are allowed to communicate with each other
          * LAN has rule to allow source 192.168.99.1  to  desti 192.168.99.2
    • Cisco SG200 (8 port) setup
          * P1 - trunk 10,20,30,60,199 (tagged)  - connected to pfSense re0
          * P2 - trunk 10,20,30,199 (tagged)  - connected to ESX1 vnic 0 (mgmt, vm)
          * P3 - trunk 10,20,30,199 (tagged)  - connected to ESX2 vnic 0 (mgmt, vm)
          * p4 - access 60 (untagged) - connected to ESX1 vnic1 (iSCSI)
          * p5 -  access 60 (untagged) - connected to ESX2 vnic1 (iSCSI) 
          * p6 - access 60 (untagged) - connected to iSCSI box 1
          * p7 - access 60 (untagged) - connected to iSCSI box 2
          * p8 - trunk 10,20,30,60,199 (tagged)  - connected to testing laptop

    Questions

    • Transit Network (VLAN 199)
        * in previous L3 SG300, one end 192.168.99.2 is on pfSense, the other end 192.168.99.1 is the VLAN gateway resides in SG300.
        * since SG200 is not a L3 switch, when creating VLAN in SG200, I only need to provide VLAN number, no IP is assign to the VLAN. What should I do in this case?
          trunk 10,20,30,60,199 (tagged)
        * Does the transit network works with only one IP 192.168.199.2 assigned to LAN_VLAN199?

    • FW rules
        * is above good enough? Any other rules required?
        * Does each VLAN (10,20,30,60) need a rule to allow 192.168.99.1 to 99.2 (transit network)

    • SG200
        * any issues with this layout?

    Many Thanks,



  • Thanks for the support from pfSense guru from this forum, I managed to setup a pfSense and Layer 3 Cisco SG300-28 where the VLAN routing was done by SG300.

    With a layer3 switch you will be using or needing a transfer net to get it working at best.

    Now I would like to test out pfSense with Layer 2 SG200 where VLANs routing will be set in pfSense. When design the layout, I have several questions regarding the VLAN and transit network.

    By using a Layer2 Switch you will be needing not a transfer net, you will be leading that VLANs tagged to the pfSense box
    and pfSense must then route between the VLANs it self.



  • @BlueKobold:

    By using a Layer2 Switch you will be needing not a transfer net, you will be leading that VLANs tagged to the pfSense box
    and pfSense must then route between the VLANs it self.

    Last night using transit network (vlan 199), my device from vlan20 can access internet. Problem is that vlan20 can't reach to vlan 30 although in the firewall rules, all vlan has rules to allow * to * communication via all ports and protocols. Vlan 20 can reach vlan60.

    I will try to remove vlan 199 (transit network) since it is not required in Layer 2 scenario. Still need help on the VLAN routing. Is rules in firewall enough or I need to create gateway or static route under routing. Any previous posts which could help me out are also welcome.

    Thanks,


  • LAYER 8 Global Moderator

    "Is rules in firewall enough or I need to create gateway or static route under routing."

    If the networks are attached directly to pfsense then it already knows about the routing.. All have to do is allow the rules you want to allow for inter vlan traffic.



  • You guys rock! Big Thanks to you all!

    No transit network this time. No static route. Only Firewall rules.

    Currently vm mgmt, iSCSI works fine. Will try VM and vMotion later.

    Have a great Thanksgiving, pfSense guru!



  • All VLANs are working fine as expected. It is all about the firewall rules setting.


Log in to reply