Intervlan between mixed layer 2 and layer 3 switches
-
My layer 3 switch is all setup but it does not do policy based routing. I need to separate vlans so that some will use isp1 and others will use isp2. This is done by using an additional layer 2 switch and pfsense as router.
Now the internet connection is sorted out, my problem is connecting vlans on the layer 2 switch with the vlans on the layer 3 switch.
How do I connect vlans (192.168.2.2) on a L2 switch with routes to isp1 to vlans (172.16.3.2) on L3 with routes to isp2?
L2 switch
pfsense wan connected to isp1
pfsense lan 192.168.2.254/24 connect to vlan2 access port
L2 host 192.168.2.2 gateway 192.168.2.254 (pfsense)L3 switch
vlan99 subnet 172.16.99.0/30 is transit vlan
vlan99 default route 172.16.99.1 connected to isp2
vlan3 subnet 172.16.3.0/24
vlan3 management interface 172.16.3.254/24
L3 host 172.16.3.2 gateway 172.16.3.254 connected to vlan3 access port -
Why would you not connect both ISPs to pfsense - let it do the policy routing of who goes to what isp.
Your downstream networks would be connected via transit network to pfsense.
-
Why would you not connect both ISPs to pfsense - let it do the policy routing of who goes to what isp.
Your downstream networks would be connected via transit network to pfsense.
Thank you for your help. Your solution is definitely the right way to proceed. Please let me know if you have altenative solutions using the mixed L2 L3 switches scenario so I can test them before the do over.
-
I tried adding an opt interface as 172.16.3.1/24 in pfsense on the L2 switch and plugged it in a vlan3 access port on the L3 switch. Now vlan2 (192.168.2.0/24) and vlan3 (172.16.3.0/24) hosts can ping. They also have access to dns and management web on vlan2 (192.168.2.254) and vlan3 (172.16.3.254). Unfortunately, other services like ssh between 192.168.2.2 and 172.16.3.2 is unstable or not working at all.
Any idea?
-
Draw up what you did…
Here is nice drawing Derelict has used multiple times showing both layer 3 and layer 2 together no reason for me to redraw it
Please draw your setup so we can see what you could be doing wrong.. My guess is asymmetrical
-
Nice drawing. My situation differs in that 172.26.1.1/29 is connected to another router that I do not control. Also, that router is connected to an isp that pfSense has no connection to. It would be great if Host A and Host C can connect within these constraints.
-
"hat router is connected to an isp that pfSense has no connection to"
Well then your kind of screwed.. Can you share routing protocols with that router that is downstream? If not even if you send traffic to it from pfsense, those clients would just send traffic out the default gateway since it has no route back. You would have to source nat all your traffic from your downstream to look like its on the transit network.
