Cisco Layer3 switch and PFsense setup

BocajPF · Jul 19, 2020, 5:41 PM

Hey PFsense brothers and sisters, I need some wisdom on getting my environment setup. Thanks for taking the time to read this newb's post.

I am working on building out virtual some networks on my XCP-NG server and will use PFsense as my firewall hosted on VM. I have a Cisco layer 3 switch (3750) that I want to use for Intervlan routing with 3 vlans:

(XCP-NG ports are Vlan tagged)

3750
ip routing enabled
vlan 100 SVI 192.168.1.0/24
vlan 200 SVI 192.168.2.0/24
vlan 600 SVI 192.168.6.0/30 (transit network from switch to PF)..
ip route 0.0.0.0/0 192.168.6.2 (pf opt int)

When configuring interfaces on PFsense I do not see any Vlan capable interfaces. Any thoughts on why I cant see Vlan capable interfaces on the Pfsense side?

I followed this guide on configuring the Layer 3 switch and PFsense:
https://greigmitchell.co.uk/2019/08/configuring-intervlan-routing-with-a-layer-3-switch-and-pfsense/

After following this guide the switch and firewall cannot communicate.
Is it best to have the switch handle vlans? or set them up in Pfsense?

netblues · Jul 19, 2020, 6:12 PM

@BocajPF Well, if you terminate vlans at the xcp-ng level, you will just need to add separate interfaces to pfsense
Is there a reason that you need intervlan traffic handled by the switch?
and if yes, do you also need filtering among vlans?

JKnott · Jul 19, 2020, 7:16 PM

@BocajPF

Did you create any VLANs? You have to add them to the parent interface.

BocajPF · Jul 20, 2020, 5:13 AM

Hey @netblues, I do not need the L3 switch to handle routing..it seemed like a obvious choice but the implementation is not working for me so far..filtering would be great either via the switch or preferably PF sense..

BocajPF · Jul 20, 2020, 5:22 AM

@JKnott I do have Vlans created in the cisco switches but cant create vlans/see vlan capable interfaces in PFsense..

netblues · Jul 20, 2020, 6:04 AM

@BocajPF So the guide you followed is irrelevant.
Its much better to have everything in one place for filtering.
a. you need to remove any intervlan routing from cisco.
b. Decide how many trunk ports you need
c. Either remove vlan handling from the virtualization level, or create as many interfaces as vlans and add them to pf vm

If you remove vlan support from host, then you assign vlans on pf and then add (tagged) interfaces.

On the cisco switch just create trunk(s).
Both approaches work well.

JKnott · Jul 20, 2020, 10:44 AM

@BocajPF said in Cisco Layer3 switch and PFsense setup:

@JKnott I do have Vlans created in the cisco switches but cant create vlans/see vlan capable interfaces in PFsense..

Did you click on Interfaces > Assignments > VLANs, where you can add one?

BocajPF · Jul 21, 2020, 5:15 AM

@JKnott said in Cisco Layer3 switch and PFsense setup:

Did you click on Interfaces > Assignments > VLANs, where you can add one?

attaching pics of interface config and route info:

not seeing vlan interfaces on the pf sense side..let me know if there is any more information that would help grasp where im at.

netblues · Jul 21, 2020, 5:28 AM

@BocajPF You need to change virtual ethernet configuration at the virtualization host.
You did say that you have vlans configured at that level.

BocajPF · Jul 23, 2020, 7:41 AM

thanks @netblues and @JKnott for your feedback. I focused on the vm host (XCP-NG) network config and found resources for enabling vlan interfaces in xen..I can now see vlan capable interfaces when creating vlans in PFsense.

Enable Vlan interfaces:
http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.html

XCP Trunking:
https://xcp-ng.org/docs/guides.html#vlan-trunking-in-a-vm

now time to get this vlan routing setup..