Multilayer switch -> PfSense

  • Hey guys,

    Hopefully this isn't too difficult a question

    I am about to start setting up a network that has a bunch of VLANs, and I will route between them with a Cisco 3750 switch. Essentially, what I want to do is have the Switch route everything internally, then have a default route to the PfSense box to go out the the web. There are two things I'm worried about.

    1. The port on the switch going to the PfSense box will NOT be on VLAN 1. It'll be on VLAN 100. Is there any special config I have to do on the PfSense box? I'm not trunking to the PfSense. It'll be a /30 network that just has the SVI of the switch and the IP of the PfSense. I'm pretty sure since the VLAN is a layer 2 thing, the PfSense box will have no clue that the VLAN even exists since it's not a trunk port.

    2. Can you do NAT rules on the PfSense to devices on separate internal networks? For example, my servers will be on, and PfSense will not. PfSense will have a route to it, but no interface on the router is actually on that network.

    Any advice will be super helpful.


  • Ah, if you aren't doing any trunking between your PFSense firewall and the switch than the pfsense firewall will act as any other network device and not run into issues. That being said, if you want to route between vlans using your PFSense box, than you will need to do these things..

    First, create your vlans on your switch. Keep in mind that you MUST not use the default vlan1 for anything, so give each port a vlan id other than one. (ex. ports 1-24 vlan100, ports 1-47 vlan200, port 48 pfsense)
    Make the port that your pfsense firewall is going to connect to a trunk port.
    Go to the interfaces>assign on your pfsense box.
    Click on the vlan tab at the top.
    Create vlans on based on which ever vlans you created beforehand.
    Click back on the interfaces tab.
    Change the LAN interface to one of the vlans you created. Remember, you can't use vlan1 when doing this and LAN is by default on vlan1
    Once the vlans are assigned and you have created vlans on the switch that match up, restart your pfsense box just to be on the safe side.

    That is really all there should be too it. :) just keep doing these steps for every vlan you want to create and they will show up as new interfaces that you can work with.

    I hope that helps.

    NOTE: OH, sorry, I didn't read things quite right, but I would say that you would be better off creating vlans accross your switches and have a vlan for the accessible by pfsense. Unless you have another internal router than will handle the traffic transitioning from one subnet to the other I don't see a way you can use NAT for this. And I'm a bit confused.. is on the same vlan as the other network?

  • LAYER 8 Netgate

    If I were you I would create a vlan interface on pfSense LAN and a tagged/trunk port on the 3750.  Assign your pfSense LAN to eth0_vlan100 (or whatever) and you're done.  I would do this even of there is only one VLAN right now.

    Then you can easily create more VLANs in the future between the 3750 and pfSense by just creating/assigning a new VLAN XXX on pfSense and adding a "switchport trunk allowed vlan add XXX" on the 3750.

  • To actually answer your questions,

    1. You won't need to do anything to pfSense. Create your point-to-point IPs and you're good to go. I have mine set up the same way - pfSense on and a routed port on on my switch.
    2. Yes, as long as you've got a correct route, NAT will work fine whether or not you have an interface on the same subnet.

Log in to reply