Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as Firewall/Router/Switch all in one - Layer 3 virtual interface?

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    switchsvivirtuallayer2layer3
    2 Posts 2 Posters 78 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spickles
      last edited by spickles

      I'm trying to replace a Cisco ASA 5505 with a pfSense firewall. On the Cisco ASA I can assign an inside and an outside interface and hand off to a downstream switch. The downstream switch is L3 capable, so I just run a point-to-point /30 IP between the two and route as I have no need for any additional firewall interfaces (no DMZ for example). But it got me thinking. If I only have a handful of devices behind the firewall and I want to use the pfSense as the firewall/router/switch all in one, can I do that? I don't see a way to create a switched virtual interface where the IP address goes, and then just simply assign ports to the appropriate VLANs (untagged) so that whatever host plugs into that port would get an IP address on the correct VLAN. The physical ports would be purely L1/L2, and the routing would take place at the virtual interface. I see that when I attempt to create a VLAN, it forces me to choose a physical port to assign it to in the form of a parent interface - I don't want to do this. That would mean that even on a small network I'd have to have a physical interface for every VLAN I want to create (or that I wanted to have an L3 interface associated with anyways - I see that I can just create L2 assignments either in the form of a single VLAN or a trunk). This leads me to believe that either pfSense itself doesn't support switched virtual interfaces, or at least not on the hardware I'm using. I've installed the latest stable CE version (2.8.0) on a Cloudgenix ion 2000.

      M 1 Reply Last reply Reply Quote 0
      • M
        marcg @spickles
        last edited by marcg

        @spickles Not following your entire note. Hopefully this is helpful.

        First, barring hosts that can tag their own traffic, in general every host that you want to place on a VLAN requires either a switch port somewhere to tag traffic onto the desired VLAN or, for WiFi, an AP that can tag hosts on an SSID onto the desired VLAN. (There are some exceptions to this like using a VLAN-aware switch to tag all traffic from a downstream dumb switch and Ubiquiti's Virtual Network Override, but let's not go there ...)

        Second, if the question is whether you can create a port on a pfSense box that can process multiple VLANs as separate subnets, the answer is yes. For example, I have a physical port, igc1, carrying 4 tagged VLANs and an untagged one between pfSense and the downstream switch fabric. pfSense routes for all of them.

        The four tagged VLANs are all tied to igc1 (so, igc1.15, igc1.20, etc.) under Interfaces>VLANs as shown in the first pic. A pfSense Network Port is created for each. Once created, each can be assigned to an Interface and configured with subnets and addresses under Interfaces/Interface Assignments, have DNS, DHCP, Firewall, etc., just like a physical interface. That's the second pic (black boxes to reduce the distraction of the box's other interfaces). So, 4 tagged VLANs plus 1 untagged on a single port. The untagged interface is igc1.

        dd20f6e5-e51c-4a46-9694-99dbf38bb5a0-image.png
        bd53a7c6-22b9-4f41-b89e-c9838a44781c-image.png

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.