Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Modem + L3 Switch + Airport + ESXI + Vlans setup

    Scheduled Pinned Locked Moved Virtualization
    6 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trocks
      last edited by

      Hi Guys,

      I am new to Vlans and i dont particularly consider myself being a expert when it comes to networking. Hence please bare with me here. Please also forgive me if the information is not complete and let me know which parts are not clear and i will update accordingly.

      I am trying to setup a ESXI Home lab with network segmentation based on Vlans defined in pfSense and my Cisco SG300 switch in L3 mode to which i also have a Airport extreme BS attached, which will have a private and guest network setup. Next to that i have certain requirements which i have tried to illustrate in the following diagrams.

      1. On the ESXI host i want to isolate traffic between my public facing VMs and other VMs. Some of the VMs which will be public facing as in Webservers in front of the App servers. these VMs should be accessible from the internet on Http ports.
      2. I want to be able to reach all of the VMs in ESXI host from 2 workstations that are connected to the Airport private network (subnet is in the diagrams).
      3. I don't want anyone else to have access to the Esxi host or VMs directly.
      4. My modem is connected directly to the SG300 Switch. i am not sure whether this will cause any issues?
      5. pfSense is tunning on a VM inside ESXI, i am not sure what would be the best way to set it up and to ensure the connectivity as mentioned here above.
      6. Airport connected devices should have access to the internet.
      7. I have created two LAGs each with 2 Physical ports on the Switch. Each Lag is connected to one vSwitch.

      I am not sure whether pfSense should handle DHCP throughout the whole network and whether i can use the Airport to handle its own private and guest DHCP or not.

      My question is how to best segment the network






      1 Reply Last reply Reply Quote 0
      • J
        justsomeone
        last edited by

        Interesting…I'm setting up a network very similar to this except I have a router between my modem and first switch with ESXi connected to the first switch on one port with the other 3 ports connecting to the second switch.

        "Bad shit happens to drunk people."

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If the SG300 switch is in layer 3 mode then all intra-VLAN traffic will be "firewalled" by it.

          If you were to eliminate the layer 3 interfaces on the switch, tag VLANs 10, 20, 30, and 40 to pfSense (ESXi VLAN 4095 is all VLANs tagged or you can create a virtual NIC for each VLAN) then you would have four (five counting WAN?) interfaces and all intra-VLAN traffic would be firewalled by pfSense.

          Recent apple airports in bridge mode present the main WLAN untagged and the guest WLAN tagged 1003 out the Airport's WAN interface.  You'll have to configure your switchport to match.  I would config it that way and allow pfSense to handle DHCP duties unless you have Active Directory DCs or something.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • H
            Hugh
            last edited by

            Hi trocks,

            looking at your diagrams (nice by the way), Derelict has it right, I would do the following:

            I assume that you only have a single IP address from your ISP.

            On your modem, I would setup a DMZ port or the facility to send all traffic to your pfSense box.  That way any unknown incoming traffic will be sent on to the pfSense box's WAN port.

            For each of your VLAN subnets, add a route to your modem for the subnet pointing to the WAN port of your pfSense box.
            eg Modem LAN IP 10.1.100.1/24  pfSense WAN 10.1.100.254/24

            add a route in the modem for 10.1.0.0/16 via 10.1.100.254 (this will cover all your VLANs except for the guest)
            add a route in the modem for 172.16.24.0/24 via 10.1.100.254

            turn off NAT in the pfSense box, make its default gw be your modem.  All NAT will be done by your modem.

            For each VLAN you want to have, add an interface to the pfSense box.  The only exception to this is for all vlans going into vswitch 2 (more on this later)

            On vswitch0, create a port group for VLAN 100.  Add the pfSense WAN port to this, and on the SG300, create an access port on VLAN 100 and plug the modem's LAN port into it.

            On vswitch0, create additional port groups for your Public Server VLAN and your DMZ VLAN.  Add an interface to each port group for the pfSense box.  Each of these VLANs are separated by the pfSense box.  You will have no layer 3 ports on the SG-300.

            On vswitch1 add a port group for a pfSense interface.  Set the VLAN ID in vmware as ID 4095, you have setup a trunk port.  This will send all other VLANs on the vswitch to the pfSense box.

            You can then add VLANs under pfSense for each of the other VLAN ids/portgroups that you add on vSwitch1.

            I don't know anything about the airport, but I'm assuming that you can send its different WLANs to the switch via a trunk port.  Then you have a VLAN interface on the pfSense trunk port for each SSID, which is the default gateway for each of those WLANs.  Assuming that you have a model that does what Derelict says, you would have VLANs 1 and 1003 coming from the Airport.

            For the switch something like the following should cope with the airport.

            interface gigabitethernet10
            description airport
            switchport mode trunk
            switchport trunk allowed vlan add 1,1003
            switchport trunk native vlan 1

            Run the DHCP for everything on the pfSense box.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              interface gigabitethernet10
              description airport
              switchport mode trunk
              switchport trunk allowed vlan add 1,1003
              switchport trunk native vlan 1

              Except don't use VLAN1 for anything.

              interface gigabitethernet10
              description airport
              switchport mode trunk
              switchport trunk allowed vlan add 10,1003
              switchport trunk native vlan 10

              (10 just being an example.  Anything but 1 is good.)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I like your drawng!!

                But not sure why you need or want sg300 in l3 mode?  I have 4 segments running 3 physical and 1 vlan, with esxi hosting pfsense and multiple other vms.

                sg300 is just L2.

                I can put together a drawing sim to yours..  But in a nutshell pfsense has leg in each vswitch which is tied to physical network for wan, lan, wlan and vmkern.  vmkern is in the lan - but I break out a 2nd nic for it when it shares a nic peformance to and from the database is hindered.

                dmz is jut vswitch with no physical connection and wlanguest is vlan that runs over the physical wlan segment.  I also have another smart L2 switch netgear gs108t that there is trunk between it and the sg300 for the different vlans.  I have my dvrs in the wlan segment and printer example for ease of airprint.

                I think using L3 on your sg300 is just making for a more complex setup.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.