Pfsense + Cisco Router 1712 + Cisco switch 2960: Inter-vlan routing

  • Hello

    I have the following devices:

    Pfsens Box (WAN, LAN1, LAN2, DMZ)
    Cisco Router 1712 (1 10/100 Ethernet, 4 integrated Switch Ports)
    Cisco Switch 2960
    4 PCs

    My connection

    PFsense WAN port  =======> Internet OK
    PFsense LAN1: ==========> Pfsenes Web GUI OK
    PFsense LAN2: ==========> Creating 4 VLANs OK

    How can connect Pfsense + Cisco 1712 + Cisco 2960 and How can I configure them so that I can achieve the following:

    1- Behind the firewall, 4 VLANs, 4 different network segment, and they can ping each other
    2- 4 PCs in the sub-net can ping the internet

    I appreciate so much if you can point me to some post where people doing similar thing

    Best Regards

  • I am unsure of what you want to do with the 1712 and I am also unsure of how many ports you have on your pfSense box so I will assume you have only two, a WAN and  LAN.

    You need to create four VLAN's and associate them with the LAN port, probably re0.  Activate them, and assign them IP's.

    On your 2960, connect one port to the LAN of the pfSense box.  You need to switch that port to a trunk port by entering 'switchport trunk encapsulation dot1q' followed by 'switchport mode trunk' on that interface going to the pfSense box.

    Then, you associate other ports on the switch to VLANs by typing 'switchport mode access' and 'switchport access vlan X' on each interface substituting X with the VLAN number you created on the pfSense box.  You would probably also want to type 'spanning-tree portfast' on your access ports to speed up the STP forwarding state.

    You could then create a second trunk port from the switch over to your 1712 so you can access all of the VLAN's from it.  Assuming you use FastEthernet 0/0, on that interface, do a no shutdown then proceed to create subinterfaces such as fastethernet 0/0.10, 0/0.11, and so on and just associate each with the proper dot1q VLAN by doing 'encapsulation dot1q X' on each where X is the VLAN ID number.  I find it easiest to have the subinterface number match the dot1q number also, as in fa0/0.10 is dot1q 10.

    And don't forget to run no shutdown on all of those interfaces ;)  Welcome to the world of Cisco.

  • Thanks, almost get it. Small issue remains

    I have done as advised, as described below

    Pfsense create VLAN 2 parent interface is LAN port. Connected to trunk port on 2960, VLAN 2 IP
    On 2960, gi0/1 mode trunk, encapsulation do1q, Connected to Pfsense LAN port,
    2960 sw fa0/3 mode access associated with VLAN 2, IP
    CentOS box, eth0 IP
    I use VLAN 2 as gateway for network route add -net gw

    As a result:

    From 2960 switch, I can ping CentOS box, e.g. ping successful
    From CentOS box, I can ping VLAN 2 on switch, e.g. ping successful

    From PFsense VLAN 2, I can ping VLAN 2 on switch,e.g.  ping successful, but not the other way around!
    (I can not ping VLAN2 from the switch)

    Could you please help me one more time?

    Thanks so much

  • Hello

    To troubleshoot my problem, I turn on "ip debug packet detail" on the switch

    When I ping from the switch, I can see packet send from the switch never get reply
    When I ping from Pfsense, from Vlan2, I can see the switch responds
    I also check the firewall rules on VLAN2, L let it pass "any" source to any destination.

    I am still not sure why I cannot ping VLAN2 on Pfsense?


  • Do you have firewall rules configured on the router?  pfSense creates a new section in the rules for the new VLAN interfaces, whatever you named them.  By default I think its opt1, opt2, etc.  You may need to create a rule to allow traffic from the VLAN's subnet outbound.  I'm pretty sure there are no rules and an implicit deny when you create a new interface.  This would result in you being able to ping the switch from pfSense, but not the other way around.

Log in to reply