Cisco SG500-28 and pfSense



  • Hello all,

    I am having difficulty configuring pfSense with Cisco SG500-28 switch.

    Here is the setup I am trying to configure.

    Internet <-> pfSense <-> Cisco SG500-28 <-> PCs

    On the pfSense I have WAN set to DHCP since I get the IP from the ISP.  I have setup LAN with IP 10.10.1.1.

    The Cisco SG500-28 has been switched to layer 3 mode.  I have 3 VLANs on the switch.  I decided to use x.x.x.254 as the switch VLAN interface address for each VLANs to keep things consistent.

    So I have:

    VLAN 1:  (default on Cisco SG500-28)
    Network:  10.10.1.0/24
    Switch IP:  10.10.1.254

    VLAN 2:  Wired Data
    Network:  10.10.2.0/24
    Switch IP:  10.10.2.254

    VLAN 3:  WiFi
    Network:  10.10.3.0/24
    Switch IP:  10.10.3.254

    I connected the pfSense on port 1 on the switch.  I also plugged in 3 PCs in the switch on ports 4, 5, 6.  I setup ports as following:

    pfSense on port 1 as trunk with PVID of 1
    PC1 on port 4 as trunk with PVID of 1
    PC2 on port 5 as trunk with PVID of 2
    PC3 on port 6 as trunk with PVID of 3

    I manually setup the PCs as follows:
    PC1: ip 10.10.1.100 with gateway 10.10.1.254
    PC2: ip 10.10.2.100 with gateway 10.10.2.254
    PC3: ip 10.10.3.100 with gateway 10.10.3.254

    All 3 PCs can talk to each other but none of them can get to the internet.

    Then I configured the pfSense as following.  I created another gateway with the ip of 10.10.1.10 and called it LANGW.  Then I created a static route of 10.10.2.0/24 using gateway LANGW.  Then created another static route of 10.10.3.0/24 using gateway LANGW.

    All 3 PCs can talk to each other and none of them can get to the internet including PC1 which is on VLAN1.  Since all 3 PCs can talk to each other I am assuming that it is not a switch issue.

    Please help.  What am I doing wrong?  What is not configured correctly?

    Thanks.



  • [note,I'm still a student and it's been all most a year since I used the L3 on a switch nor have i ever used that particular switch. I have also not used VLANs with pfSense]

    The switch is doing routing now,so you need to tell it where it's gateway of last resort is. You should also make the ports that the PCs are connected to access ports rather then trunk ports(make sure that VLAN1 is your native trunk and don't have any PCs on it).

    I think that should do it,but like I say in that note at the top I haven't touch L3 on switches in a all most a year and have never used VLAN on PF) I'm also not sure why the switch is L3 by the way,I'd leave is as L2. You can still use VLANs and I think that PF can do the inter-vlan routing.I could be wrong though.



  • @sandman77777:

    Then I configured the pfSense as following.  I created another gateway with the ip of 10.10.1.10 and called it LANGW.  Then I created a static route of 10.10.2.0/24 using gateway LANGW.  Then created another static route of 10.10.3.0/24 using gateway LANGW.

    I was with you right up until that point.  Don't understand why 10.10.1.10 was chosen.  If the SG500 is on L3 mode, the route to the 10.10.2.0/24 and 10.10.3.0/24 should point to the 10.10.1.254 address.  That's the address of the SG500 and the only way traffic to the wired and wireless networks is going to reach them.

    I agree with Cyberloard that the ports should be access, rather than trunk.



  • There are a couple of things I would change…

    drop this part from your pfsense config:

    Then I configured the pfSense as following.  I created another gateway with the ip of 10.10.1.10 and called it LANGW.  Then I created a static route of 10.10.2.0/24 using gateway LANGW.  Then created another static route of 10.10.3.0/24 using gateway LANGW

    Add a IPv4 static route in the cisco switch:
    Destination IP Prefix: 0.0.0.0  Mask 0.0.0.0  Next Hop: your pfSense LAN address
    (it tells the switch -who is doing the inter-vlan routing- to forward all traffic that didn't hit the local route table to the next hop address)

    Then add the different networks in pfSense, under "System\Routing -> tab Routes" (only the 2 other subnets in your setup, they are currently unknown to pfSense as there is no routing protocol running (?))

    Next, but equally important, you need some instance to resolve the name, so you could configure the switch to send DNS requests to pfSense (found under "Domain Name System\DNS servers")
    Not sure if this will work though. Alternative: configure the LAN ip of pfSense as DNS server IP in your clients.

    That should give you internet access (unless I'm forgetting something ;D)

    Last, fix that vlan setup. Trunks are only required if they need to transport vlan information (802.1Q). If no trunking is required, I think it will be better for your setup to configure the port to access.
    Easiest fix: assign those ports as "access" to the correct vlan (menus "Port to VLAN" and "Port VLAN Membership" and set the native vlan back to 1 (pvid))

    An alternative to this setup, would to configure your LAN interface in pfSense to also do trunking, but then you would need to configure those vlans also in pfSense and let pfSense do the routing instead of the switch. Not more complex than your setup, just another approach…

    Good luck & let us know how it goes...  ;)


Log in to reply