PFsense As DHCP Server on a Network with a Layer 3 Switch


  • We are using a layer 3 switch for InterVlan routing and pfsense as our primary firewall. No issues with connectivity within the network as routing between VLANs is being handled by the Layer 3 switch. Outbound traffic seems to be working perfectly as well for all the VLANS. Now, we are thinking of using  pfsense as the DHCP server also  for all the VLANS in the network. We know this will work if pfsense is connected to a Layer 2 switch(router on a stick) but not really sure on how to do this with a layer 3 switch in between. Is this possible?

    Thanks!


  • In my own experience, this is possible. I assign a VLAN ID (Interfaces/Assign + VLAN tab) to a virtual interface on the internal NIC (Interfaces/Assign + Interface Assignment tab) and then create a scope for each virtual interface (Services/DHCP server). I'm assuming your VLANs are all using entirely different IP address ranges, of course.


  • Just to get something straight:
    Layer 1 = "you solder wires onto the cable" switch
    Layer 2 = "MAC" switch ie. NOT a router on a stick, in the traditional sense
    Layer 3 = "router" switch.

    Why are you using two routers instead of one? Let the switch handle the VLANs based on the untagged ports, then set up the tagged ports connected to pfsense. Then let pfsense handle inter-VLAN traffic, DHCP, DNS, whatever. That means let the switch handle the layer 2 stuff, and an actual router handle the layer 3 stuff, instead of using an unpatched, unmaintained switch to act as a router.

    My advice, take it or leave it, it's up to you. Welcome to the forums  ;D


  • You know, this is my thoughts exactly.  Unless the switch was a better router than my actual router I would use a "simple" managed layer 2 switch with pfsense.

    I haven't ever needed a layer 3 switch, but I'm sure they make them for a reason.  Somewhere someone must need them.  Just not me.


  • I differ. It is actually a good thing you offload pfsense for regular intervlan routing, and maybe the most important reason being that your L3 switch does that routing way more efficiently, no need to change that. (it's another story if you need/want security between those vlans but that was not your question)

    There's a "but" though here. Currently it is only possible to configure dhcp scopes for "own" subnets. Meaning, if the subnet is not assigned to any physical or vlan interface, you won't be able to have it hand out dhcp offers to anything (scopes) it does not know.

    It is (or better technically it can be) possible to have all dhcp to be handled by pfSense, possible but not standard yet. (see https://forum.pfsense.org/index.php?topic=65736.0)
    You will also need ip-helper on each SVI on the L3. (easy part)
    I have it running with good results…

    If you don't go with the mod by Marcello, the only way to accomplish that dhcp story is by presenting each vlan to pfSense, either physical, either by dot1q.