Pfsense, HP Procurve 5412, VMware and VLANs



  • Hi All,

    I have configured pfsense many times before but this is the first time I am configuring it in a layer 3 network. This is what I am trying to achieve. All inter VLAN traffic will be routed by the Procurve 5412 which is our core switch which is working fine. Any traffic to the internet will be sent to the firewall which is pfsense.

    This is what I have done so far. I have got the switch configured by a Network Engineer. pfsense is installed on a VM which is on VMware. This is running on a Dell R720. I have given two interfaces to pfsense em0 and em1. em1 is connected to the internet and is getting the ip address from dhcp. em0 is the LAN interface and is connected to a trunk port on the core switch. Also, I have configured the interface in VMware to accept all VLAN traffic by changing the setting to 4096. After this I added the VLANs in pfsense same as in the core switch. Then I assigned the VLANs to the interface em0.

    Now, if I put a client in FIREWALL VLAN(254) it can connect to the internet but any other client on other VLANs are unable to access the internet. I have tried multiple things but nothing worked. I saw in one video to remove the LAN interface completely so that it is not assigned directly to any interface but as soon as I do this I lose connectivity to pfsense web interface.

    I will really appreciate if someone can help me resolve this as it is going in production next week and I have one more day to troubleshoot it.



  • You probably did but in firewall rules under said VLAN… do you allow traffic to go out?

    A default pfSense has a rule in LAN called
    Default allow LAN to any rule  (both vor IPv4 & 6)

    Do you have something like that in the other VLANs?

    Good luck



  • All inter VLAN traffic will be routed by the Procurve 5412 which is our core switch which is working fine. Any traffic to the internet will be sent to the firewall which is pfsense.

    If your traffic is simply being sent to pfSense from your core switch (which would mean it's all done at layer 3), you don't need to mess with VLANs at all on pfSense. VLANs are a layer 2 concept, and your switch is dealing with it. Set the default route on your switch to your pfSense address, leave all the VLAN stuff off on your VMWare box and within pfSense, and you should be fine.

    I am running nearly the same thing (with a Brocade core), and only have to mess with VLANs in pfSense if my switch is not routing them. You will probably, however, want to set up a point-to-point connection between pfSense and your switch (just a /30 will suffice) to prevent pfSense from getting hit with unnecessary broadcast traffic.


Log in to reply