Pfsense configuration with Layer3 Switch

Sonicpat2018 · Aug 15, 2018, 8:38 PM

HI, I am struggling at configuring the network with the following configuration and would like to have some expert advise on how to do it. What I am trying to do:

Pfsense as Firewall with two interfaces Wan and Lan

Lan interface will be on an admin vlan Id 4090 with 192.168.2.1 adress
Ubiquiti Edgemax 48 will be the main switch on same admin vlan 4090 with address 192.168.2.2

Others vlans will be the following:

Vlan 2: 192.168.0.0 /24
Vlan 3: 10.0.10.0 /24

The vlan routing will be done by the Ubiquiti switch but all the internet traffic will have to pass trought the Pfsense.

Actually, all the vlan can ping each others but none of them, except the 4090 is able to reach the pfsense.
Does anyone have an exemple on how to configure the pfsense for that kind of scenario.
Thanks in advance!

gjaltemba · Aug 15, 2018, 10:29 PM

Do you have the following?

default route to pfsense 192.168.2.1 on switch

static routes for vlan2 192.168.0.0 subnet and vlan3 10.0.10.0 subnet via 192.168.2.2 on pfsense

Sonicpat2018 · Aug 16, 2018, 3:49 PM

Hi gjaltemba and thanks for the reply.

I have done the change as you suggested but I'm still unbale to reach the pfsense from vlan2 and vlan3
From pfsense, I am able to ping computers on the 2 vlans.

Is it normal?

johnpoz · Aug 16, 2018, 4:02 PM

So your transit vlan is your admin vlan.. I wouldn't do it that way - Unless the only device(s) on this transit network are going to "admin" other devices connected to the transit network. If something on your admin/transit network needs to talk to something on a downstream vlan your going to run into asymmetrical routing unless you do routing on the admin device.

As to your downstream vlans getting to pfsense - what is the firewall rules on your transit interface, does pfsense have gateway setup and route(s) to these downstream networks?

To be honest, if you have to ask such questions then maybe downstream router is a bit beyond your current skillset and you might have an easier time with just letting pfsense be your firewall/router for both your edge and vlans. Just use your switch as layer 2 - let pfsense handle all the layer 3.

Do these 2 vlans need full wire speed between them, do a lot of devices on the vlans talk to each other all the time? Or is this traffic wanting to be limited/firewalled? Unless you have need of high speed traffic flow between your vlans and pfsense can not handle it - it is is far easier to just do all your layer 3 at pfsense even if your core/main switch is layer 3 capable.

Sonicpat2018 · Aug 16, 2018, 4:09 PM

HI johnpoz, I think you are totally right about my skills!!!!

The need of vlan segmentation is more for security purpose than speed, so I think I will let Pfsense do all the routing task.

Thanks

johnpoz · Aug 16, 2018, 4:18 PM

It will make it far easier to firewall between the segments that is for sure. If your box running pfsense has multiple physical interfaces you can use uplinks per vlan from your switch vs even having to do tagging. This would eliminate any hairpin traffic for intervlan traffic.

How many physical interfaces does your pfsense box have? How many ports does your switch have open that could be used for uplinks?

You really only see downstream routers come into play when the network grows beyond a certain point, or the need for high speed flow between vlans is more important than security between the vlans.. Or you have so many freaking vlans that is harder to manage them on the firewall at the edge..

I have been doing this for like 30 years.. I deal with complex layer 2 and 3 networks in large DataCenters and customer networks. My switches at home are both layer 3 capable (cisco sg300).. I only use them as layer 2 because my home network has zero need for that sort of layering at layer 3 - pfsense is more than capable of routing between the vlans, and full speeds, etc.

Sonicpat2018 · Aug 16, 2018, 5:18 PM

I have a brand new XG-7100U box with 8 interfaces.
The network is about 60 computers and another 50 phones on the wifi.
The businness plan to grow about the double in the next 2 years.
I just wanted to isolate 2 different lan traffic plus the Guest WIFI.
I think as you said that the Pfsense box will pretty easyly handle all the traffic without any speed issue.
I was planning to implement SQID as proxy soon too.

Thanks you very much for your light!

johnpoz · Aug 16, 2018, 5:22 PM

@sonicpat2018 said in Pfsense configuration with Layer3 Switch:

XG-7100U

Are you using the sfp+ ports? Or just port on the switch.

Sonicpat2018 · Aug 16, 2018, 5:24 PM

only ports

johnpoz · Aug 16, 2018, 5:52 PM

Do you plan on using them at some time in the future at only 1 gig? I recall some threads I believe where they only work at 10ge.. People had to send their units in, or replace them or something.. Will try to find the thread in question.

But sure your switch ports will be fine as uplinks for your 2 vlans, etc.

Here is atleast 1 of the threads I remember
https://forum.netgate.com/topic/131725/xg-7100-sfp-module-1gbps

gjaltemba · Aug 16, 2018, 7:18 PM

@sonicpat2018
Also need pass rules on lan interface for subnets 192.168.0.0 and 10.0.10.0

Sonicpat2018 · Aug 16, 2018, 8:26 PM

Ok now I tried to reconfigure the pfsense from scratch and experiment another problem when I try to assign interface to vlan 2 and 3

The only interface availlable is the Lagg0 wich is the switch for ethernet port 2-8.
I am pretty confused about this setup.
How would I be able to dedicate a single port to a specific vlan without having the ability to choose one?

Thanks

johnpoz · Aug 16, 2018, 8:31 PM

why do you have a lagg setup?

But sure you can assign your vlans to a lag.. Or you can assign your switch ports to different vlans.

Sonicpat2018 · Aug 20, 2018, 1:32 PM

The pfsense unit came with this setup by default
Lagg1 for WAN with vlan 4090
Lagg0 for LAN with vlan 4091

I tried to assign the switch ports to different vlan, but i am unable to communicate between vlans.

Does anyone know about documentation on how to configure pfsense hardware with internal switch configuration in vlan?

Thanks

pfSenseTest · Aug 20, 2018, 1:47 PM

@sonicpat2018 said in Pfsense configuration with Layer3 Switch:

The pfsense unit came with this setup by default
Lagg1 for WAN with vlan 4090
Lagg0 for LAN with vlan 4091

This is incorrect according to the documentation...
https://www.netgate.com/docs/pfsense/solutions/xg-7100/switch-overview.html

Sonicpat2018 · Aug 20, 2018, 2:00 PM

Sorry you arre right, configuration reflecting LAGG0 with different vlan for WAn and LAN.

But the point is that with vlan configured other than default one EX: Vlan 3 : 10.0.10.0 /24 I am not able to ping the gateway in this vlan.

I configured the Vlan 3 by tagging port 9 and 10 in the menu:
interfaces / switch / Vlans
And add port 4, untaggged as it is the port I plan to use for this network.

But I am still unable to ping the gateway in the vlan3

Sonicpat2018 · Aug 20, 2018, 8:52 PM

Now everything is working correctly on the pfsense for Vlan routing.
It was firewall issues.
I am facing a problem where I am unable to isolate vlan on particular port on the ubiquiti Switch.
Vlan are isolating well on the Pfesense interface but I am unable to tag ports on the Edgeswitch.
Does anyone have exemple of a working setup with a pfsense Vlan routing and a Ubiquiti Edgeswitch only in vlan aware mode?

Thanks

Derelict · Aug 21, 2018, 3:20 PM

What does UBNT mean when they say "VLAN aware" mode.

Tag the VLANs on a port on the XG-7100 switch.

Tag the VLANs on a port on the UBNT switch.

Cross-connect them.