InterVLAN routing with DHCP on layer 3 switch

vikd · Feb 26, 2022, 6:05 AM

I'm trying to setup InterVLAN routing on a Layer 3 switch (HP1920) with DHCP behind my pfSense box.

My setup is following:

pfSense with VLAN30 + VLAN40
VLAN30 - 10.10.30.1/24 - Gateway:10.10.30.2 (manually added in pfsense for VLAN30)
VLAN40 - 10.10.40.1/24 - Gateway:10.10.40.2 (manually added in pfsense for VLAN40)
=>connected to HP-switch through a trunk port which obtains 10.10.30.2(VLAN30) and 10.10.40.2(VLAN40) as IP-addresse for those 2 VLAN-interfaces.

Clients connected to the HP Switch and obtained IP through DHCP:
Client1 on VLAN30 - 10.10.30.10
Client2 on VLAN40 - 10.10.40.10

The routing table on the HP-switch is following:

10.10.30.0	255.255.255.0	Direct	0	10.10.30.2	Vlan-interface30
10.10.40.0	255.255.255.0	Direct	0	10.10.40.2	Vlan-interface40

The goal is to use the Layer3 switch to route VLAN30 and VLAN40 without pfSense.

I did manage to accomplish this by manually setting up the IP-addresses on the clients to
10.10.30.10/24 GW:10.10.30.2 (Address of VLAN30 interface on the HP swith manually added in pfSense) and
10.10.40.10/24 GW:10.10.40.2 (Address of VLAN40 interface on the HP swith manually added in pfSense)

The problem is, that when I enable DHCP, the correct IP-addresses are obtained, but the gateway is set to 10.10.30.1 on all VLAN-interfaces on the switch!
So, the routing is obviously done by pfSense.

I seem to miss some basics in either pfSense or HP switch, so what am I doing wrong ?

pfSense is acting as DHCP-server, do I need to do DHCP-relay on the HP switch in order it for work properly ?

P.S. Do I need to do any additional static routing on HP switch as it seems it's already routing the correct networks ?

bingo600 · Feb 26, 2022, 6:05 AM

@vikd

Did you specify the switch ip address , in the Gateway field , in the DHCP server settings ?
Else it would default to the pfSense interface.

login-to-view

vikd · Feb 26, 2022, 11:52 AM

@bingo600
Hmm, no I actually didn't, I did specify (or so I thought) the GW for VLANs here:

login-to-view

Does it need to be done in both places then ?

johnpoz · Feb 26, 2022, 7:14 PM

@vikd um if vlans our downstream of pfsense, why would they be setup in pfsense?

You should have no setup of interfaces for vlans/networks that are downstream of pfsense. The only thing listed would be the gateways and routes to those network.

It would not be possible for pfsense to hand out IPs via dhcp of some downstream networks.

The network that connects to your downstream router (your L3 switch doing routing) would be the transit network.. There should be no hosts on this network.

Here is how you do a downstream router...

login-to-view

vikd · Feb 26, 2022, 7:14 PM

@johnpoz
I'm not sure I understand your point. Why is it a problem having VLANs and interfaces in pfsense and not possible to hand out IPs via DHCP ?
My switch does not have the DHCP capability.
Additionally, I need most of my VLANs to be able to access Internet in addition to also having access to the VPN-tunnel which is going to be run on pfSense.

johnpoz · Feb 26, 2022, 7:28 PM

@vikd said in InterVLAN routing with DHCP on layer 3 switch:

VLANs and interfaces in pfsense and not possible to hand out IPs via DHCP ?

You can hand out IPs to network directly attached to pfsense, you can not hand out dhcp to a L2 network this is not directly connected to pfsense.

If your routing these downstream of pfsense, then that is a different L2 network.

All of your downstream networks would use pfsense to get to the internet, or could even use it for dns, etc. etc.. Or other networks hanging off of pfsense. But once you create downstream networks that router to other downstream networks at your L3 switch, this is not a directly attached network to pfsense and you wouldn't be able to hand out dhcp to those networks. If your switch can not do dhcp, then its a pretty crappy L3 switch.. But if it can not - then run something else on each of the L2 networks for dhcp. Or run something that allows you to create dhcp pools for non connected network - stand alone version of isc dhcpd can do this, etc. Then you would setup IP helper or dhcp relay on your switch to point to this dhcpd. But pfsense can not do dhcp for network that are not directly attached at the L2 level.

If your wanting to route at your downstream and put pfsense in the same L2 as these networks, ie you created the vlan - then your going to run int asymmetrical routing problems unless you host route on all of your devices saying to get to some other network talk to yoru switch, but to get to internet talk to pfsense, etc..

The drawing I attached shows you how to properly do downstream networks, and also have a network or networks attached directly to pfsense..