Network Setup with PfSense
-
Hi everyone,
- Wanted to get some suggestion on a good way to setup my PfSense.
Current Setup. ISP (DHCP assigned) -> PfSense (WAN) PfSense (LAN) -> Layer 3 Switch -> End devices or APAlternative.
ISP (DHCP assigned) -> Layer 3 Virtual Switch -> PfSense (WAN) PfSense (LAN) -> Layer 3 Virtual Switch -> End devices or APThe layer 3 switch is able to configure multiple virtual switch for logical network segmentation. However, i'm having issue to configure a proper route for egress and ingress to/from the internet WAN IP assigned by my ISP as it's based on DHCP.
Example, static route can't work as the IP will change
Any good idea on I can go about doing it ? Or this isn't a very good network setup ?
- How do your setup the DNS service ? Is it configured on your Access Point DHCP pool , L3 Switch DHCP pool ?
I did not use the LAN port in PfSense as its configured in /30 with my Switch.
-
@Firewaller1 I guess the typical setup would be alternative one, of course...
I suppose if the switch has SFP ports and your pfsense doesn't, you can use it as a "media converter". But outside of that may I ask, what would be the reason to connect your switch on the WAN side?
The switch only needs an IP for management, and there are likely several different ways to set that up. You can perhaps set a static IP for your LAN side. Then it's done with that and will not interfere with ISP DHCP requests.
Often you can set up a management VLAN, and/or the ability to define which ports are allowed for management access. Then you can isolate out the two ports used on the WAN side.
In terms of DNS, I'm using the switches as switches and pfsense as the firewall/router/gateway handling everything, including DHCP and DNS.
-
@Firewaller1 said in Network Setup with PfSense:
I did not use the LAN port in PfSense as its configured in /30 with my Switch.
So your using a transit or connector network.. Is there some reason you want to route at your switch.. Just because it supports L3 doesn't mean you have to use it as such. Mine does L3 routing - but my normal setup is via just L2 and all the routing is done at pfsense between vlans/networks.
This allows for firewall rules between your segments and also easier to leverage dhcp just on pfsense.
Any L3 switch is also going to be able to just be a L2 switch.
If you have enough ports you can sure run your wan connection through the switch. I do this as well, one advantage to that is you would have the ability to create a span port if there is some need/want to sniff your wan traffic. Other advantage is even if say your modem is power cycled or looses power, the interface on pfsense won't actually go down, unless your switch looses power.
Also allows for pfsense to be rebooted without the modems interface actually going down. Also allows for changing what is actually connected to the modem, without the modem interface going down to connect some other router to it, if you clone the mac - the modem is clueless to this change happening via just some manipulation of the ports config on the switch.
Would also allow for ACLs at the switch to say block multicast sort of traffic from hitting pfsense interface, if your isp network is noisy with that sort of stuff, etc.. Many advantages to running the connection through a switch. Sure you know have a switch as a failure point, and some extra config on the switch - but I feel its good sort of setup for flexibility.
-
@johnpoz Some good reasons to have a switch on the WAN side there...
I actually have it set up like that as well, but I did it to make it simple to switch between different firewalls when playing around and testing.
-
Yeah that was my intention as well.
A simple setup will be using the L3 switch as L2.Within the Switch i still can perform stateful ACL rules, but that is more for internal routing.
few items that i consider the 2nd setup:
- Able to perform pcap capture directly on the WAN link.
- Worried having my WAN link attached to Zimaboard installed with pFsense isn't stable.
- More flexibility to control the routing since it's on the L3 switch.
- Easier to switch out the FW with another hardware
But i'm trying to figure out how i can handle the following:
- DHCP WAN IP on the switch. Because static route will not work.
I need to consider the network path egress to internet and ingress from internet.
DHCP & DNS assignment is currently managed by my Switch
pfSense (LAN) is current on static IP on /30 connected to my Switch -
You have shown them as virtual switches. How much of this is virtualized? Are you moving from hardware to VMs?
-
@stephenw10 it's physical switch. just that you can configure multiple virtual switch. each will have its own routing table.
the switch have 12 LAN ports. 4x SFP ports. so i got more than enough to use.
each physical LAN port can be assigned to the the "virtual switch". but you can't assign 1 physical lan port to 2 different "virtual switch"
However, i can have virtual lan port thou .. haha that's just getting more complicated. -
@Firewaller1 said in Network Setup with PfSense:
just that you can configure multiple virtual switch. each will have its own routing table.
You mean it supports VRFs ? What specific make and model of switch is this?
Or are you just calling a vlan a virtual switch?
If we knew the make and model we would be clear on what it can and can not do.. You can for sure add whatever ports you want to a vlan.. As to what this switches feature set is for VRFs need to know make and model number.
As to ACLs and stateful? Again what is the switch.. A simple acl be it based on IP or mac, or Port, etc. I don't think they are stateful like a actual firewall.. Its either allowed or not to enter the port.. I block a lot of multicast from noisy clients for example, this is IP based ACL with the destination being the multicast address.
For pfsense to do dhcp, it has to be connected at L2 to the network you want it to do dhcp for, so no your not going to be able to do downstream routing and have pfsense handle dhcp..
-
You do not need to worry about the WAN IP address assignment. It can be DHCP or static. It does not matter. pfSense itself should select WAN as its default gateway. Your concern is only the LAN side and you already have a static IP address for that.
I understand that you have a local network where routing is handled by a L3 switch and you have created a routed link between the L3 switch and pfSense. BTW, that’s my choice, too. In a case like that, pfSense does not know anything about your local network. Because of this, you need a gateway to your LAN on pfSense and one or more static routes. Also, pfSense needs to be the default gateway for your local network.
In your /30 link, you have two IP addresses, one on L3 switch and one on pfSense.
You need to use the pfSense IP address in the default route on the switch.
On the other hand, the switch IP address needs to be defined as a gateway on the LAN side of pfSense. This gateway needs to be used in the static routes to your local network. You need one static route for each LAN subnets you want to interface with pfSense. If the local network is in a completely different address space than pfSense, you probably could use a single, more generic, static route.
Placing a switch on the WAN side of pfSense is another issue.
