Pfsense and layer 3 switch

  • Good evening!

    I am in the process of deploying an enviroment with a pfsense router and Cisco SG300 which can do layer 3.  I have the layer three switch  configured with ip addresses and vlans etc etc etc.  I have one port that will house an access point and host all three ssids through a trunk port (which is tested and working perfectly)

    wireless ssids:
    Production - vlan 100
    Guest - Vlan 60
    Other - VLAN 45

    I was hoping to it setup where the guest vlan will dump the users into the pfsense captive portal so we can authenicate that way.  Is this doable with this kind of configuration?

    VLAN 100
                                              |- VLAN 60
    modem-pfsense router-layer3 switch
                                              |-VLAN 45

    The pfsen router has three ports on it One will be for the Internet, one to plug into the switch and an empty third one.

    Thank you so much!

  • No problem from what I can gather, just create the guest vlan on the parent interface on pfsense. But you'll need to remove the guest vlan IP from the switch, else the switch will route it to the other vlans, and not via pfsense - assuming you have enabled 'ip routing' on the switch.

  • LAYER 8 Netgate

    If you want to use the Layer 3 capabilities of the switch, no problem.

    You will create a Layer 3 interface on pfSense and the switch.  Create routes on pfSense for the layer 3 networks on vlans 100, 60, and 45 routing to the switch.  Set the default gateway on the switch to pfSense.

    Note that with this configuration, you cannot use pfSense to firewall between the various VLANs, because the switch will route traffic among them and pfSense will never see it.  Great if that's what you want.

    You might be better off creating VLANs 100, 60, and 45 on pfSense, assigning them to pfSense interfaces, creating a VLAN tagged trunk to the switch, and using the switch in layer 2 mode.

  • And if you want the layer3 at the switch performance between production VLAN100 and Other VLAN45, but need to firewall off Guest VLAN60, then you can make a hybrid topology. Trunk VLAN60 up to pfSense, but leave VLAN100 and VLAN45 layer 3 defined at the switch, and routing up to pfSense (on a 4th little subnet).
    Then VLAN100 and VLAN45 can talk to each other on the layer 3 switch.
    Guest has to go first to pfSense to get anywhere, and so you can secure that with any rules you like at pfSense.

Log in to reply