when is Layer3 necessary?

BlueSun

Can someone perhaps explain to me, when it Layer3 networking in PFsense absolutely necessary?

I looked at getting a Netgate 7100 but it's a bit out of my budget, so I got QNAP QGD-1600P instead, and run PFSense as a Virtual Machine. The Qnap has a built-in 16 port Layer 2 switch.

Effectively, I could have used a Dell R320 as well but wouldn't be able to fit as many network ports in the chassis. Chances as I won't need all the ports, but it's handy for future expansion.

The network scenario is as follows:
1x Headoffice with 200Mbps fiber uplink.
5x branch offices with 50Mbps fiber at at branch. Each branch has a 192.168.x.0/24 IP range, from 192.168.10.0/24 to 192.168.15.0/24 and two more IP ranges for the VPN in between. All PC's / printers in all branches can reach each other.

So from every branch, I route 192.168.10.0/24 over the VPN. And in some cases some of the other IP's would route to each other as well.

Taking this scenario into consideration, would a Layer2 switch at the HQ still suffice?

Or, in another scenario, where we have multiple WAN IP ranges, from different ISP's, would the Layer2 switch still suffice?

keyser

@bluesun said in when is Layer3 necessary?:

Can someone perhaps explain to me, when it Layer3 networking in PFsense absolutely necessary?

I looked at getting a Netgate 7100 but it's a bit out of my budget, so I got QNAP QGD-1600P instead, and run PFSense as a Virtual Machine. The Qnap has a built-in 16 port Layer 2 switch.

Effectively, I could have used a Dell R320 as well but wouldn't be able to fit as many network ports in the chassis. Chances as I won't need all the ports, but it's handy for future expansion.

The network scenario is as follows:
1x Headoffice with 200Mbps fiber uplink.
5x branch offices with 50Mbps fiber at at branch. Each branch has a 192.168.x.0/24 IP range, from 192.168.10.0/24 to 192.168.15.0/24 and two more IP ranges for the VPN in between. All PC's / printers in all branches can reach each other.

So from every branch, I route 192.168.10.0/24 over the VPN. And in some cases some of the other IP's would route to each other as well.

Taking this scenario into consideration, would a Layer2 switch at the HQ still suffice?

Or, in another scenario, where we have multiple WAN IP ranges, from different ISP's, would the Layer2 switch still suffice?

The switch is on your LAN side, not the WAN side, so it has no impact on what/how you intend to connect and route your locations. I assume you have a NIC on your virtualisation host you can connect directly in your WAN modem/CPE.

On your LAN side you generally only need a L2 switch as pfSense does all the L3 stuff (Routing, firewalling etc.) - BUT:
It’s rather nice to have a managed L2 switch that supports the creation of VLANs (Different L2 networks) that each have their own L3 interface in your pfSense. (Think, Guest network, IoT network, Client network and so on). This requires a VLAN capable manged L2 switch.
An unmanaged L2 is just one large network and cannot be divided.

BlueSun

@keyser said in when is Layer3 necessary?:

The switch is on your LAN side, not the WAN side, so it has no impact on what/how you intend to connect and route your locations. I assume you have a NIC on your virtualisation host you can connect directly in your WAN modem/CPE.

The ISP uses fiber, and they give us a CAT5 flylead. This goes into one of the NIC ports on the QNAP. On the QNAP I can use a virtual network interface to connect the network port directly to PFSense as WAN interface.

On your LAN side you generally only need a L2 switch as pfSense does all the L3 stuff (Routing, firewalling etc.) - BUT:

This is what I wanted to know.

It’s rather nice to have a managed L2 switch that supports the creation of VLANs (Different L2 networks) that each have their own L3 interface in your pfSense. (Think, Guest network, IoT network, Client network and so on). This requires a VLAN capable manged L2 switch.
An unmanaged L2 is just one large network and cannot be divided.

All the switches on the network are MikroTik and thus managed. But there is very little to really manage on the network.

netblues

@bluesun You need l3 in all those scenarios

In rare cases where l2 wan (also known as metro ethernet) is available, it could be used, but then you shouldn't be asking, if that is the case, since it would be a carrier based managed solution.

BlueSun

@netblues said in when is Layer3 necessary?:

@bluesun You need l3 in all those scenarios

Is the layer3 functionality of PFsense and the virtual networking not enough? I want to establish whether I need different hardware.

In rare cases where l2 wan (also known as metro ethernet) is available, it could be used, but then you shouldn't be asking, if that is the case, since it would be a carrier based managed solution.

No metro ether. Just lit fiber.

netblues

@bluesun pfsense is more than enough for the requested scenario. You need a L3 solution in any case.

BlueSun

@netblues said in when is Layer3 necessary?:

@bluesun pfsense is more than enough for the requested scenario. You need a L3 solution in any case.

thanx.

So PFsense will create the l3 routing as necessary, right?

If I were to install PFsense on a Dell R330 server with 8x 1Gb network ports 4core CPU and 8GB RAM, I would still be able to achieve the layer3 throughput I would need?

netblues

@bluesun You need just two network interfaces at hq.
And 200Mbit fiber is something easily managed by entry level modern hardware.

BlueSun

@netblues said in when is Layer3 necessary?:

@bluesun You need just two network interfaces at hq.
And 200Mbit fiber is something easily managed by entry level modern hardware.

Thank you.

JKnott

@bluesun

Functionally, a layer 3 switch and a router are equivalent. They are both used to route between networks. A layer 2 switch only forwards within a network.

stephenw10

Anytime you have more that one subnet you need something operating at layer 3. But here that thing is pfSense.

You don't need a later 3 switch.

Steve

BlueSun

@stephenw10

@stephenw10 said in when is Layer3 necessary?:

Anytime you have more that one subnet you need something operating at layer 3. But here that thing is pfSense.

You don't need a later 3 switch.

Steve

Thanx guys.

So essentially PFsense creates a Layer3 network.

What about higher up in the stack? Layer7 or Layer8? i.e. is it possible to monitor / firewall user level traffic? I have seen this on some commercial firewalls like Cyberoam

netblues

@bluesun PfSense is also a commercial firewall if you wish, and a very good at what it does too.
Apart from that, typical functionality is covered by most firewall products.
One needs to be far more specific to the problem at hand in order to select one vendor versus the other.

stephenw10

The filter used by pfSense, pf(4), is a layer 3-4 only component. There are some higher layer functions available via Snort but there is currently no per user filtering beyond something like Captive portal or Squid.

Steve