Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense and layer 3 switch

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tinytim100
      last edited by

      Good evening!

      I am in the process of deploying an enviroment with a pfsense router and Cisco SG300 which can do layer 3.  I have the layer three switch  configured with ip addresses and vlans etc etc etc.  I have one port that will house an access point and host all three ssids through a trunk port (which is tested and working perfectly)

      wireless ssids:
      Production - vlan 100
      Guest - Vlan 60
      Other - VLAN 45

      I was hoping to it setup where the guest vlan will dump the users into the pfsense captive portal so we can authenicate that way.  Is this doable with this kind of configuration?

      VLAN 100
                                                |
                                                |- VLAN 60
      modem-pfsense router-layer3 switch
                                                |
                                                |-VLAN 45

      The pfsen router has three ports on it One will be for the Internet, one to plug into the switch and an empty third one.

      Thank you so much!

      1 Reply Last reply Reply Quote 0
      • T
        thermo
        last edited by

        No problem from what I can gather, just create the guest vlan on the parent interface on pfsense. But you'll need to remove the guest vlan IP from the switch, else the switch will route it to the other vlans, and not via pfsense - assuming you have enabled 'ip routing' on the switch.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If you want to use the Layer 3 capabilities of the switch, no problem.

          You will create a Layer 3 interface on pfSense and the switch.  Create routes on pfSense for the layer 3 networks on vlans 100, 60, and 45 routing to the switch.  Set the default gateway on the switch to pfSense.

          Note that with this configuration, you cannot use pfSense to firewall between the various VLANs, because the switch will route traffic among them and pfSense will never see it.  Great if that's what you want.

          You might be better off creating VLANs 100, 60, and 45 on pfSense, assigning them to pfSense interfaces, creating a VLAN tagged trunk to the switch, and using the switch in layer 2 mode.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            And if you want the layer3 at the switch performance between production VLAN100 and Other VLAN45, but need to firewall off Guest VLAN60, then you can make a hybrid topology. Trunk VLAN60 up to pfSense, but leave VLAN100 and VLAN45 layer 3 defined at the switch, and routing up to pfSense (on a 4th little subnet).
            Then VLAN100 and VLAN45 can talk to each other on the layer 3 switch.
            Guest has to go first to pfSense to get anywhere, and so you can secure that with any rules you like at pfSense.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.