General (port based VLAN)
-
Hi, I have been trying to make a project for my network utilizing a layer 3 switch and PfSense. In my current setup I have a repurposed McAfee Wg4500 (Intel SR3420GPRX motherboard) appliance setup with PF, it came with 5x 1GBE and I added another 4 port slim Intel NIC for a total of 1xWAN and 8xLAN (because I can).. I also have dedicated switches for each of these LANs including one that is layer 3 (please!!! don't worry about my electric bill). I decided on using the layer 3 switch in a port based VLAN manner because I have the ports on the router/firewall and the switches. If needed I can send pics or you can go here to see my mishmash. At this point my concern is only PF and the layer 3 switch.
Hardware is: Repurposed McAfee 1x WAN 8x LAN, Layer 3 switch: Netgear GSM7324
Finally, what I want to do is connect all the LAN ports from PF to the layer 3 switch which will have a group of two ports for each subnet one from PF to switch (in) and the other out to the "access switches". I'm sure no one does anything like this but I wanted to see what everyone thought about it. If I need to explain in more detail just ask.
To alleviate some of the questions
Confused - Just ask to explain what you need help with. This only sounds good in my head.
Why would I do this - because I can, and I have the equipment
Electric bill - Again don't worry about that.
You should just - No, I want to do what I want to do for my own purpose
Basically just tell me if you think it can be done or not and why. -
A switch in port based vlan mode, gives you the option to segment it into smaller (virtual) switches. So if you create eight 3 member port based vlans and connect them respectively, one port to each pf lan, and the rest two to your access switches you are done.
pf would only have to know about 8 lan interfaces. Nothing else.
-
@netblues Ok I was thinking it was something different, I'm going to give it a shot, I'm not much of a traditional VLAN person because of the single wire limitation. Thanks.
-
Well, we could do much more complicated and fancy things with vlans (because we can).
But simplicity has its merits, so yes, keep it simple and you will be good.
What single wire limitation? You have lots of them !!! :) :)
-
@netblues Router on a stick method, this did not work for me at all which is why I have the 8 Lan ports in PF. Already had the switches from previous setups. The way I have it now is fine I just want to tinker. All Pfsense interfaces are connected to its individual switch except for my VLAN for wireless which I have a layer 2 Netgear for the wireless APs.
-
Well, for router on a stick you need 802.1q vlans, a tagged (trunk ) config from one switch port, untagged ports on the switch for your access switches, and vlan config on pf.
Its a very common config too and works reliably too, as long as 1 gigabit of total traffic is enough.
-
@netblues exactly "single wire" that doesn't work for me. I know I could just use the layer 3 and build all the networks from the switch and route to PF for internet but whats the fun in that? Also, the Netgear only uses ACL's to allow/disallow traffic between subnets. I'd rather the firewall rules, seems much cleaner to me. Lastly, the way I have everything in the rack the new setup in theory will tidy up the cables. My switches are flush, the WG4500 box is long, so some cables are stretched to the max and I don't like the looks of it. if I could for example use port 1 of layer 3 switch to Pfsense LAN1 then port 2 of the switch will be connected to basically an access switch for devices conected to LAN1 which will in my eyes let PF send the DHCP/DNS info unlike the layer 3 routing setup which needs an helper.
I hope that makes some kind of sense
-
There is a better approach for that, if you want to go the router on a stick path.
Forget about l3 routing on the switch, create as many vlans as needed on the switch, with necessary untagged ports for the access switches and just use a trunk 8021q port to pf.
On pf create the same vlans off the connecting to managed switch ethernet, assign ethernet interfaces to vlans, and therer you have your interfaces, on pf, with dhcp , rules and everything, over a single cable. -
@netblues I know how to do router on a stick, I just don't like it. I don't care for that single trunk line. I had that setup at one point and everything just seemed slow, with torrents, gaming, streaming, and countless wireless devices just really was slow. The way I have it now is perfect.
-
@trent6gol Thats fine, also has lots of bandwidth.
What I described also works well. Tested in practice by many, in demanding environments.