Pfsense and l3 switch and dmz

chinchun

@johnpoz
Don't know if I did it the right way.

johnpoz

@chinchun Your throwing the traffic from your downstream networks into a gateway, your LoadBalance.

Yeah that is policy routing, if you want these downstream networks to go to another network(s) off of pfsense you would have to allow for that in the rules.. I doubt your gateway your forcing the traffic to can get there ;)

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

stephenw10

OK, you need a rule on SG500 to allow traffic from 10.1.10.1/24 to DMZ without a gateway set.
Otherwise that traffic is forced via the load-balance gateway group and cannot reach the DMZ.

See: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

Steve

Edit: Snap!

johnpoz

@stephenw10 beat you too it Steve ;) hehehe -- jinx, you owe me a beer!

chinchun

@johnpoz
Thanks for the apply!
I will read it first then try it out. Not an expert of pfsense, just an architect who love these things, still learning

chinchun

@stephenw10
And many thanks to you too, bro!
Almost 3 am here, night!

johnpoz

@chinchun here to help, you seem to have a pretty nice network setup..

And I wouldn't mind having a sg500, I have some sg300s

I don't do any routing on mine (other than lab for helping here if needed) mine are in L3 mode but only use L2 on them.

My sg300 is getting a bit long in the tooth, and is eol here next year I think.. I have my eye out for replacement.. Love to have something that has multiple gig interfaces 1/2.5/5/10 in the 24 port range.. And at a great price hehehe..

The cisco smb line with 24ports some with poe, and with multigig would be sweet! But this unicorn switch is not on the market that I can find - at least not at the price willing to pay..

chinchun

@johnpoz
Thank you! Cost me some time to figure it out.
I'm also looking for some l3 fanless with 10g ports switches, but unfortunately so far I did't find any that both cheap and poe capable and have enough ports.

johnpoz

@chinchun was just looking at the newer sg350's that have multigig and poe.. But the prices currently are just insane for home use ;)

No freaking way could get that past the budget committee (wife) hehehe

Maybe in a year or so they might be more home budget friendly.. I picked up my sg300-28 new for like 200..

chinchun

@johnpoz
No budget for me to get brand new these stuffs
My most equipments are used, except for the T630. It's getting harder and harder to get a cisco in my area. So I'm considering change the sg500 with a ICX7150-C12P(for l3 switching and poe) and a C2960L-24TQ(for access).
But don't know the compatibility between Ruckus and Cisco