Layer 3 switch to pfsense



  • Hi,

    I have a layer 3 switch with lot of vlans, adresses 10.30.x.x/24.
    The switch as ip 10.30.3.254.

    pfsense has 10.30.3.1

    Internet form all hosts works fine, but i also have a ipsec tunnel to network 10.40.0.0/16.
    The tunnel is up and i can ping from 10.40.x.x to 10.20.3.254, but all other networks i cannot reach. From pfsense lan interface i can reach all networks.

    I have added a static route 10.40.0.0/16 gw 10.30.3.254.

    Can anybody help me?

    Thanks
    Wolfgang


  • LAYER 8 Moderator

    Why have you added

    I have added a static route 10.40.0.0/16 gw 10.30.3.254.

    and routed it to the switch instead of pfSense? Also I don't understand how those 10.30.x.x/24 networks are set up. Do they all have the switch .3.254 as their default gateway (or the switch's corresponding gateway IP in that subnet) or is pfSense the gateway in every 10.30.x network?

    Also how is your phase 2 IPSEC on pfSense defined? 10.40.0.0/16 is the remote location. Did you use 10.30.0.0/16 as local network so the other side can reach all 10.30.x networks?
    Do your firewall rules match that?

    If your switch on the 10.30.x.x network segment is the default GW for every VLAN then it needs a route für 10.40.0.0/16 to point to pfSense on 10.30.3.1 so it can direct the traffic the right way to its VPN gateway.

    Greets



  • Hello,
    thanks for reply.

    all networks on L3-switch have gateways 10.30.x.254/24 and all traffic for unknown nets are routed to default GW 10.30.3.1/24.

    The tunnel created P2 10.30.0.0/16 and 10.40.0.0/16.

    I think the firewall rules are ok.

    Thanks

    Wolfgang


  • LAYER 8 Moderator

    @wolfgangbucher said in Layer 3 switch to pfsense:

    all networks on L3-switch have gateways 10.30.x.254/24 and all traffic for unknown nets are routed to default GW 10.30.3.1/24.

    OK if all 10.30.x.y networks have their their gateway on 10.30.x.254 and this is the switch you were talking, then your switch needs the 10.40.0.0/16 rule to route it to pfsense.



  • Hi,
    I found the mistake, it was a miss configured tunnel, i had LAN net as source, changed it to 10.30.0.0/16 and now its working.

    Thanks for spendig time.

    Cheers

    Wolfgang


Log in to reply