PFSENSE and L3 SWITCH

cjiwonder

We have L3 switch configured with more than 20 VLANs I am planning to use Pfsense for Proxy, content filtering and NATing ( no NATing configuration in our L3 switch ). Could anyone pls help me to configure the same without disturbing existing network, I have no very less knowledge about L3 / VLAN, pls explain me in detail.

L3 IP : 192.168.1.1
Pfsense IP : 192.168.1.11

VLAN 1 192.168.1.0 - Gateway : 192.168.1.1
VLAN 2 192.168.2.0 - Gateway : 192.168.2.1
VLAN 3 192.168.3.0 - Gateway : 192.168.3.1
.
.
.
.
VLAN 20 192.168.20.0 - Gateway : 192.168.20.1

Thanks in advance.

heper

you currently have no NAT ? your clients do not connect to the internet then ? (you are not using public ip's on your vlan)

marcelloc

I think he means no nat on switch.

Pfsense csn help but just like heper asked,  how do you get Internet working with current setup?
Is there  a firewall or gateway?

cjiwonder

There is no firewall. only DIGISOL  DG GS-4928F L3 switch (192.168.1.1) is acting as a gateway.

Client can access internet by below config :

VLAN 1

192.168.1.X
255.255.255.0

GW 192.168.1.1

ISP DNS 202.X.X.X

VLAN 2

192.168.2.X
255.255.255.0

GW 192.168.2.1

ISP DNS 202.X.X.X

VLAN 3

192.168.3.X
255.255.255.0

GW 192.168.3.1

ISP DNS 202.X.X.X

.
.
.
.
.

VLAN 20

192.168.20.X
255.255.255.0

GW 192.168.20.1

ISP DNS 202.X.X.X

heper

without nat, there is no internet possible when your clients are using private-space address' defined in http://tools.ietf.org/html/rfc1918

so, you are using NAT somewhere. If not in the switch, then elsewhere…. find out where ;)

cjiwonder

@heper:

without nat, there is no internet possible when your clients are using private-space address' defined in http://tools.ietf.org/html/rfc1918

so, you are using NAT somewhere. If not in the switch, then elsewhere…. find out where ;)

ISP given one Linksys SRW208 router, in that only ISP link connected. from there one cable connected to L3 switch (access port ). May be NAT done in this router.

Here everything is working fine without firewall. I am planing to put pfsense as a firewall. My problem is pfsense IP 192.168.1.11 should be ping in all VLANS or the gatway should be change to each VLAN like 192.168.2.11, 192.168.3.11, 192.168.4.11 …..

What should I configure in pfsense pls give me in detail. I am not familiar with VLAN / L3

marcelloc

This is up to you. If you do not need to filter traffic between vlans, you can leave switch setup unchanged.

If you want that pfsense filter traffic between all vlans, then configure each vlan on it, remove routing vlans on switch(sometimes just removing switch ip on vlan does the trick) and set all vlans gateways to pfsense firewall.

cjiwonder

I am not familiar with L3 and VLAN configurations, already L3 config done by the old employee. I wish to place pfsense for proxy, content filtering and NATing purpose only. pls guide me to configure without touching L3 switch setup.

robi

Well if you want to keep routing on the switch between the VLANs, and you only want to do proxy, content filtering and NATing of the internet traffic, you could put a pfSense leg in each VLAN, and set up a static route in the switch saying that all traffic except the local VLANs should go in pfSense.

cjiwonder

Bro, Thanks for your reply.

I have no idea about pfsense leg and static route.

I would be much thankful if you could explain me step by step.

heper

i'm not trying to discourage you BUT:
If you don't know how the switch works or how it is configured, then don't try to implement other complicated things
take your time to learn how to configure the switch, get comfortable with VLANs / Routing / …

then in a couple of weeks time, perhaps you can think about adding another device.

Doing something wreckless now, will guarantee a big FAIL

robi

If you have some time to spend, try learning from courses like ICND1 and ICND2. Although these are Cisco-specific, they train very well the basics of routing and switching, and their logic apply to other manufacturer network equimpent too - since these are standards.

cjiwonder

Bro, I am working in an Institution only and trying this setup for learning purpose only so there is no productivity loss if anything happend.

So pls help me.

heper

you can't do what you want todo without touching the switch ….  no point in doing anything before you master the switch

robi

@WONDER:

Bro, I am working in an Institution only and trying this setup for learning purpose only so there is no productivity loss if anything happend.

I thougt so. Read some chapters from these books to learn the basics, you'll know what we're talking about. It's not that difficult to understand the logic behind it.

cjiwonder

I didn't understand this magic.

If I add 192.168.2.1 as VIP and delete the same VIP then I can ping my pfsense IP 192.168.1.11 from VLAN 2 i.e 192.168.2.x same way for all VLANs. But if I restart pfsense it is not pinging, again I have to add VIP and delete the same VIP.

Any idea?