Pfsense infront of Layer3 switch



  • Hi,
      My network set up is like this:
                Vlan2 192.168.3.0,
                VLan3 192.168.30.0,
                Vlan4 192.168.40.0,
                Vlan5 192.168.50.0, 
        I manage to set up vlan interfaces on layer3 switch:
              192.168.3.1,
                192.168.30.1,
                192.168.40.1,
                192.168.50.1,

    and a deafult route(0.0.0.0  0.0.0.0  192.168.3.254) on vlan2 where pfsene is 192.168.3.254

    All vlan have access to the internet and access to each vlans,Server vlan are on vlan2: active directory,dhcp,web, and other vlans for, classroom and offiecs,Wifi,

    Reasons why i did routing on layer3 because, i need client computers to authenticate to vlan2 where my active directory is place.and pfsense box taking so long before it boot up if power fails.all client needs constant connection to our application server in vlan2. what i think is layer3 switch should do the routes.

    is there any way that i can filter internet usage per vlan? example  i would allow all to vlan2 and allow only 80 and https on vlan3, and vlan4? i hope some one would let me understand about this routing, i have just few experience in networking.



  • The internet traffic from the clients/switch will be going out through pfsense on vlan 2.
    Setup rules on pfsense vlan 2 interface with the source IP's, eg;
    allow 192.168.30.0/24 -> any
    allow 192.168.40.0/24 -> TCP port 80, 443 etc…
    You also need a route & gateway on pfsense to tell it where to find your vlans (3,4,5) via the switch IP. (See System-> Routing)



  • Additional information about my pf box. the port from switch is trunk connected to pfsense lan, i did create vlan interfaces
    vlan2 192.168.3.254
    vlan3 192.168.30.254
    vlan4 192.168.40.254 and so on.

    rules on vlan2 allow * to * default gateway.

    i tried adding rules on vlan30 and the other vlan
    rule tcp vlan30subnet any http 80 default gateway..

    but it seem it can still access to torrents ports and https.



  • can you show me how to add route? please thanx in advance



  • Ok, from my short experience with a L3 switch & pfsense, here goes:

    Switch, assuming clients/servers are on vlan 3/4/5
    vlan 2: 192.168.3.1,
    vlan 3: 192.168.30.1,
    vlan 4: 192.168.40.1,
    vlan 5: 192.168.50.1,

    add default route on switch 0.0.0.0 0.0.0.0 <pfsense 2="" vlan="" ip="">enable routing (look into ACL's later on)

    Pfsense:
    Create Vlan 2 interface ONLY - do not create vlan 3, 4, 5 on pfsense
    Vlan2: Add rule to allow IP's of vlan 3, 4, 5 out to internet: source: 192.168.30.1/24 destination: any (repeat for vlans 4 & 5)
    System -> Routing: Add Gateway, interface Vlan2, IP: vlan 2 switch IP (192.168.3.1)
    System -> Routing, Routes Tab: Add destination network: 192.168.30.1/24, gateway (select the one entered above) - Repeat for vlan 4 & 5 network, using the same switch vlan 2 ip.

    Fine tune the above to your needs once it works.

    hope that helps</pfsense>



  • thanks for the quick reply, ill try this one now. if what ever gonna happens tonight i'll feedback later…



  • It works.! thanks for that tutorial. but i dont know why dhcp won't give ip to other vlans, the dhcp server is on vlan2, if i manualy configure the ip address on vlan3 it can ping to AD DS and can access the internet, it can also ping other vlans. Does layer3 switch does block dhcp ports?

    I  added a route 192.168.3.1/24 gateway is vlan2 and it allows dhcp on other vlans.

    So what happens if pfsense is down? other vlan can't access to servers?

    It can suppose to recieve dhcp even pfsense is down..



  • Well, this was something else that I had to come to terms with; you can't run DHCP on the pfsense box as you had to delete the 3,4,5 vlan interfaces.
    You need another machine (real or virtual, pfsense or linux or otherwise) on the network configured with vlans 3,4,5 to run the dhcp service. It cannot be done on your current pfsense as you cannot recreate the vlan 3,4,5 interfaces there.

    • Clients on vlan 3,4,5 should be configured (manually or by dhcp) to use the switch ip (192.168.30.1, .40.1, .50.1) as their default gateway.
    • Your vlan 2 should ideally be a /30, as there are no other hosts on this network other than pfsense & your L3 switch.

    I  added a route 192.168.3.1/24 gateway is vlan2 and it allows dhcp on other vlans.

    Not sure how you got it to hand out IP addresses on a different vlan (as those vlans do/should not exist on pfsense)… but consider running the dhcp service on another machine as described above.



  • Thanks..
    this what i did last night.
    pfsense ip: 192.168.3.254
                    wan: adsl
                    opt1 adsl pppoe

    Windows 08 r2 running AD DS,DHCP 192.168.3.250
    web servers 192.168.3.xx

    Clients on vlan 30 : 192.168.30.2 to 30.100
    clients on vlan 40  192.168.40.2 to xx

    switch vlan interfaces: 192.168.3.1
                                    192.168.30.1
                                    192.168.40.1
    route 0000 0000 192.168.3.254

    clients vlan 3 can ping to vlan2 even with out pfsense because of the layer3 switch
    but when i remove vlan interface on pfsense vlan30 clients can't ping on vlan2.
    when i addes a route on pfsense 192.168.3.1/24 gateway vlan2..
    it cant now recieve dhcp from windows server (192.168.3.250)
    my problem is internet browsing sometimes gone sometimes okey.

    can you give me a better way of my network? please..



  • I found a problem..my dlink layer3 switch is not properly configure to route inter vlan.
    i already set the logical interfaces as posted in the previous post.
    and a route 0.0.0.0  0.0.0.0 192.168.3.254 <–-- pfsense.
    I tried remove the pfsense patch in the switch and expecting to recieve a dhcp lease from vlan2, i am connected to vlan3 but it can't recieve IP address from dhcp server located in vlan2.

    do i have to enable routing protocols on this layer3 switch? I don't know how.


Locked