Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Layer 2 or Layer 3

    L2/Switching/VLANs
    3
    6
    721
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nomis.home43
      last edited by

      I have been watching a few videos on line in relation to set up, I assume (let me know if I'm wrong) if I have a layer 2 stitch with 4 VLANs and a PFsense with 2 ports the simplified setup would be:

      Port going to LAN on PFSense Trunk?
      Port for VLAN 2 going to say Laptop Tagged with VLAN 2 ID
      DHCP would come from PFSense and that would also set the DNS and the Layer 3 Gateway for that VLAN and in simple terms the PFSense does all the inter VLAN routing. Correct ??

      Ok now lets use a Layer 3 switch instead of the Layer 2, if its configured each VLAN has and SVI interface IP and that is used for the VLAN gateway, now throw the PFSense in and its doing DHCP and DNS, do I set the VLAN gateway to the Switch VLAN SVI and set a final route on the switch to the LAN interface of the PFSense or do I set the gateway to the VLAN IP address set on the PFSense for for the relevant VLAN or finally do I just let PFSense DHCP deal with it.

      Thanks

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @nomis.home43
        last edited by johnpoz

        @nomis-home43 said in Layer 2 or Layer 3:

        now throw the PFSense in and its doing DHCP

        Stop you right there, pfsense currently has no way to do dhcp for networks its not directly attached to..

        If your going to use a downstream router or L3 switch doing routing - pfsense can not do dhcp for those networks.

        Also keep in mind if you do a downstream router, pfsense has no control over traffic between those vlans. Unless you have a specific need for say wire speed between vlans the more straight forward solution is to just use L2 vlans and let pfsense handle the routing and firewalling between the vlans.. It can also do dhcp then.

        When you use a downstream router (L3 switch doing routing) you would also connect that router to pfsense with a transit network, ie there should be no other hosts on this network between pfsense and the downstream router.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          nomis.home43
          last edited by nomis.home43

          @johnpoz Thanks for replying, (just an FYI I don't have access to the devices at the mo) I'm a little more confused now, the Layer 3 setup I have managed to achieve already, I have a layer 3 switch, each VLAN has an IP and the Switch Final route is set to the IP of the PFSense LAN.

          Let me add a little more meat to the setup, I may not have explained to well the 1st time
          The Switch is configured with (0.1 is the SVI IP for each VALN)
          VLAN 16 - LAN - em0 192.168.16.0/24
          VLAN 10 - Systems - em0.10 192.168.10.0/24
          VLAN 20 - IoT - em0.20 192.168.20.0/24

          The interface at the switch has
          untagged vlan 16
          Tagged vlan 10, 20

          Port 1/1 is untagged vlan 10
          Port 1/2 is untagged vlan 20

          DHCP is configured on each vlan from PFSense and works is a device is plugged in to port 1/1 or 1/2, DHCP has been configured with DNS (google) and the IP of the VLAN interface on the switch.

          I'm convinced I have it setup wrong, at the moment i think the routing is done on the layer 3 switch anything not for internal traffic (Vlans 10, 16 or 20) is sent to the PFSense , I believe that this is why I have to add a rule below to the LAN network to get internet access either vlans 10 or 20 respectively.

          Action | Protocol | Source | Port | Dest | Port
          Allow | IPv4 | 192.168.10.0/24 | any | any | any

          So it may be working but I'm not convinced it's right, hope that explains it better.

          J 1 Reply Last reply Reply Quote 0
          • J
            Jarhead @nomis.home43
            last edited by

            @nomis-home43 Why use the switch for routing?
            Get rid of the SVI's, assign untagged vlans on any ports as required.
            Then use a trunk port from the switch to the pfSense LAN port.
            Tag the switch trunk with any vlans you need, then add the same vlans to the pfSense port.
            Assign those vlans as ports and you can use dhcp from pfSense on all of them.

            N 1 Reply Last reply Reply Quote 0
            • N
              nomis.home43 @Jarhead
              last edited by

              @jarhead, Thanks, The switch was already in place the PFSense is the new requirement after the last ISP Firewall/Router bit the dust.

              Sorry little out of my depth, i'm sort of following so just to confirm at you saying convert the switch to layer 2 and setup the required VLANs or leave it as layer 3 and just remove the SVI's from configured VLANs ( I assume that means removing the Interface VLANs as well), also if I'm going this route (no pun intended) do I keep the final route setting.

              Thanks Simon

              J 1 Reply Last reply Reply Quote 0
              • J
                Jarhead @nomis.home43
                last edited by

                @nomis-home43 You can leave it as layer3.
                Config one port on the switch as a trunk. Tag all 3 vlans on that port.
                Untag the vlans on any switchports you need for the networks, I think you said you only need 1 port per network so just do that.
                In pfSense, go to interfaces/vlans. Add the 3 vlans to the LAN port, This is the equivalent of making that port a trunk, so remove any config you have on it.
                Then go to Interfaces/assignments. On the bottom there's "available network ports". In the drop down, all 3 vlans will be there. Assign each vlan, one at a time, and they will be assigned an OPTx name. Click each OPTx, enable it, rename it, assign ip's as needed. Go to Services/DHCP server. You will see all 3 vlans at the top, click one, enable dhcp server and set range. Repeat for the other two.
                Then set firewall rules on the new ports.
                Should be good from there.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.