Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    when is Layer3 necessary?

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 5 Posters 1.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BlueSun
      last edited by

      Can someone perhaps explain to me, when it Layer3 networking in PFsense absolutely necessary?

      I looked at getting a Netgate 7100 but it's a bit out of my budget, so I got QNAP QGD-1600P instead, and run PFSense as a Virtual Machine. The Qnap has a built-in 16 port Layer 2 switch.

      Effectively, I could have used a Dell R320 as well but wouldn't be able to fit as many network ports in the chassis. Chances as I won't need all the ports, but it's handy for future expansion.

      The network scenario is as follows:
      1x Headoffice with 200Mbps fiber uplink.
      5x branch offices with 50Mbps fiber at at branch. Each branch has a 192.168.x.0/24 IP range, from 192.168.10.0/24 to 192.168.15.0/24 and two more IP ranges for the VPN in between. All PC's / printers in all branches can reach each other.

      So from every branch, I route 192.168.10.0/24 over the VPN. And in some cases some of the other IP's would route to each other as well.

      Taking this scenario into consideration, would a Layer2 switch at the HQ still suffice?

      Or, in another scenario, where we have multiple WAN IP ranges, from different ISP's, would the Layer2 switch still suffice?

      keyserK JKnottJ 2 Replies Last reply Reply Quote 0
      • keyserK Offline
        keyser Rebel Alliance @BlueSun
        last edited by keyser

        @bluesun said in when is Layer3 necessary?:

        Can someone perhaps explain to me, when it Layer3 networking in PFsense absolutely necessary?

        I looked at getting a Netgate 7100 but it's a bit out of my budget, so I got QNAP QGD-1600P instead, and run PFSense as a Virtual Machine. The Qnap has a built-in 16 port Layer 2 switch.

        Effectively, I could have used a Dell R320 as well but wouldn't be able to fit as many network ports in the chassis. Chances as I won't need all the ports, but it's handy for future expansion.

        The network scenario is as follows:
        1x Headoffice with 200Mbps fiber uplink.
        5x branch offices with 50Mbps fiber at at branch. Each branch has a 192.168.x.0/24 IP range, from 192.168.10.0/24 to 192.168.15.0/24 and two more IP ranges for the VPN in between. All PC's / printers in all branches can reach each other.

        So from every branch, I route 192.168.10.0/24 over the VPN. And in some cases some of the other IP's would route to each other as well.

        Taking this scenario into consideration, would a Layer2 switch at the HQ still suffice?

        Or, in another scenario, where we have multiple WAN IP ranges, from different ISP's, would the Layer2 switch still suffice?

        The switch is on your LAN side, not the WAN side, so it has no impact on what/how you intend to connect and route your locations. I assume you have a NIC on your virtualisation host you can connect directly in your WAN modem/CPE.

        On your LAN side you generally only need a L2 switch as pfSense does all the L3 stuff (Routing, firewalling etc.) - BUT:
        It’s rather nice to have a managed L2 switch that supports the creation of VLANs (Different L2 networks) that each have their own L3 interface in your pfSense. (Think, Guest network, IoT network, Client network and so on). This requires a VLAN capable manged L2 switch.
        An unmanaged L2 is just one large network and cannot be divided.

        Love the no fuss of using the official appliances :-)

        B 1 Reply Last reply Reply Quote 0
        • B Offline
          BlueSun @keyser
          last edited by

          @keyser said in when is Layer3 necessary?:

          The switch is on your LAN side, not the WAN side, so it has no impact on what/how you intend to connect and route your locations. I assume you have a NIC on your virtualisation host you can connect directly in your WAN modem/CPE.

          The ISP uses fiber, and they give us a CAT5 flylead. This goes into one of the NIC ports on the QNAP. On the QNAP I can use a virtual network interface to connect the network port directly to PFSense as WAN interface.

          On your LAN side you generally only need a L2 switch as pfSense does all the L3 stuff (Routing, firewalling etc.) - BUT:

          This is what I wanted to know.

          It’s rather nice to have a managed L2 switch that supports the creation of VLANs (Different L2 networks) that each have their own L3 interface in your pfSense. (Think, Guest network, IoT network, Client network and so on). This requires a VLAN capable manged L2 switch.
          An unmanaged L2 is just one large network and cannot be divided.

          All the switches on the network are MikroTik and thus managed. But there is very little to really manage on the network.

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            netblues @BlueSun
            last edited by

            @bluesun You need l3 in all those scenarios

            In rare cases where l2 wan (also known as metro ethernet) is available, it could be used, but then you shouldn't be asking, if that is the case, since it would be a carrier based managed solution.

            B 1 Reply Last reply Reply Quote 0
            • B Offline
              BlueSun @netblues
              last edited by

              @netblues said in when is Layer3 necessary?:

              @bluesun You need l3 in all those scenarios

              Is the layer3 functionality of PFsense and the virtual networking not enough? I want to establish whether I need different hardware.

              In rare cases where l2 wan (also known as metro ethernet) is available, it could be used, but then you shouldn't be asking, if that is the case, since it would be a carrier based managed solution.

              No metro ether. Just lit fiber.

              N 1 Reply Last reply Reply Quote 0
              • N Offline
                netblues @BlueSun
                last edited by netblues

                @bluesun pfsense is more than enough for the requested scenario. You need a L3 solution in any case.

                B 1 Reply Last reply Reply Quote 0
                • B Offline
                  BlueSun @netblues
                  last edited by

                  @netblues said in when is Layer3 necessary?:

                  @bluesun pfsense is more than enough for the requested scenario. You need a L3 solution in any case.

                  thanx.

                  So PFsense will create the l3 routing as necessary, right?

                  If I were to install PFsense on a Dell R330 server with 8x 1Gb network ports 4core CPU and 8GB RAM, I would still be able to achieve the layer3 throughput I would need?

                  N 1 Reply Last reply Reply Quote 0
                  • N Offline
                    netblues @BlueSun
                    last edited by

                    @bluesun You need just two network interfaces at hq.
                    And 200Mbit fiber is something easily managed by entry level modern hardware.

                    B 1 Reply Last reply Reply Quote 0
                    • B Offline
                      BlueSun @netblues
                      last edited by

                      @netblues said in when is Layer3 necessary?:

                      @bluesun You need just two network interfaces at hq.
                      And 200Mbit fiber is something easily managed by entry level modern hardware.

                      Thank you.

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @BlueSun
                        last edited by

                        @bluesun

                        Functionally, a layer 3 switch and a router are equivalent. They are both used to route between networks. A layer 2 switch only forwards within a network.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Anytime you have more that one subnet you need something operating at layer 3. But here that thing is pfSense.

                          You don't need a later 3 switch.

                          Steve

                          B 1 Reply Last reply Reply Quote 0
                          • B Offline
                            BlueSun @stephenw10
                            last edited by

                            @stephenw10

                            @stephenw10 said in when is Layer3 necessary?:

                            Anytime you have more that one subnet you need something operating at layer 3. But here that thing is pfSense.

                            You don't need a later 3 switch.

                            Steve

                            Thanx guys.

                            So essentially PFsense creates a Layer3 network.

                            What about higher up in the stack? Layer7 or Layer8? i.e. is it possible to monitor / firewall user level traffic? I have seen this on some commercial firewalls like Cyberoam

                            N 1 Reply Last reply Reply Quote 0
                            • N Offline
                              netblues @BlueSun
                              last edited by

                              @bluesun PfSense is also a commercial firewall if you wish, and a very good at what it does too.
                              Apart from that, typical functionality is covered by most firewall products.
                              One needs to be far more specific to the problem at hand in order to select one vendor versus the other.

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                The filter used by pfSense, pf(4), is a layer 3-4 only component. There are some higher layer functions available via Snort but there is currently no per user filtering beyond something like Captive portal or Squid.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.