PFSense Router/Cisco 3560/HP 2510



  • To All,

    I need some help as I think I have totally confused myself.  Here is my setup:
    PFSense Box Config
    LAN Address 192.168.100.1
    WAN Address DHCP

    Vlan 127 192.168.127.1
    VLAN 128 192.168.128.1
    VLAN 129 192.168.129.1
    VLAN 130 192.168.130.1
    VLAN 131 192.168.131.1 (Internal WiFi)
    VLAN 132 192.168.132.1 (Public WiFi)
    VLAN 133 192.168.133.1
    VLAN 134 192.168.134.1
    VLAN 135 192.168.135.1 (Management VLAN)
    VLAN 136 192.168.136.1
    DHCP Server Service is configured to service DHCP requests across the LAN for each VLAN

    Cisco 3560 Config (192.168.135.3

    iIp routing has been enabled
    All VLANs have been configured
    Port 24 has been configured as an uplink to router (192.168.100.1) using no switchport command (L3 port instead of a switchport)
    Port 23 has been configured for WiFi (VLANs 131 and 132) (using switchport trunk commands)
    Port 1 has been configured as uplink port for HP 2510 Switch
    All other ports have been configured as access ports to the different vlans

    HP 2510 (192.168.135.4)
    All VLANS have been configured
    Port 26 has been configured as a trunk port to uplink to the Cisco 3560 uplink (Port 1)
    All VLANs have been trunked to Port 26

    WiFi
    VLANS 131 and 132 have been configured and trunked to port 23 on the Cisco 3560

    Now here is my issue(s):

    In my current configuration, I can't get any DHCP address and I know why…  It's because the uplink port (Port 24) to the router is configured for L3 so my Cisco 3560 can handle the routing (no switchport).  When I change the port to a trunk, then I can get an IP address from each VLAN without any problems.  The reason I believe is because if the port is trunked with all the VLANS, pfsense passes the DHCP through the trunk port to the various access ports.  The Internet is working fine when the port is configured as a trunk port.

    On the HP, the uplink port is trunked to the Cisco uplink port with all VLANS.  But I can't route anything from the HP to the Cisco, so I know I have something screwy going on.

    Here is my question?  Do I add a 3rd NIC to PFSense and configure an IP address, then have NIC1 to the WAN, NIC2 to the LAN, and NIC3 to the LAN with all the VLANS.  I like the way PFSense handles the VLANS with DHCP, but if the Router Port is configured as a trunk, DHCP passes fine, but if it is configured as the standard L3 router, then no DHCP and Internet.  And, what do I do about the HP swictch?  How should it be configured?

    I know this is a lot, but I wanted to give as much detail as possible so someone can think this through with me.  I have been working on this for several days and I know tunnel vision has taken over and I don't know what to do, ie. create routes in PFSense, adjust my FW rules so I can get traffic to correct destination, etc.

    Please Help!!!!!!!!!!!!!!!



  • For simplicity you can have NIC2 as a real LAN, but it is possible to have untagged traffic on an interface along with all the VLAN tagged traffic.

    If you have not too much traffic between the VLANs then use trunk port from Cisco up to pfSense. Then pfSense sees every VLAN "for real" and can directly provide DHCP.

    If there is a lot of traffic between clients on different VLANs, then that traffic will go from client, through HP/Cisco, up to pfSense, pfSense will route it and send it back across the VLAN trunk to Cisco/HP for delivery to the other client in a different VLAN. That becomes more efficient if you use L3 functionality in the Cisco and it can do local routing between VLANs. But then pfSense becomes just an upstream gateway of the Cisco and so it can't deliver DHCP or other fun services directly to the various clients in VLANs.



  • @phil.davis:

    That becomes more efficient if you use L3 functionality in the Cisco and it can do local routing between VLANs. Then pfSense becomes just an upstream gateway of the Cisco and so it can't deliver DHCP or other fun services directly to the various clients in VLANs.

    You can still have the Cisco L3 switch do the inter-VLAN routing, and have PFSense provide other services. You just need to make sure that the uplink between the Cisco switch and the PFSense LAN card is a trunk, and PFsense has the VLANs defined so it understands how to service the requests coming in from each VLAN. You would basically put IP address on your VLAN interfaces on the switch, instead of PFSense, and then use DHCP to set those VLAN intefaces as the default gateway on your LAN devices in each VLAN/Subnet.  This is how I have my current configuration set up and it is working well, other than the fact that when PFsense is handing the inter-VLAN routing, there have been some issues with devices talking to one another when they are on different VLANs, where on the Cisco - it all works fine.

    The switch will need IP Routing enabled, and a default route will need to be added to point to an IP address of pfsense so that Data on the VLANs destined for the Internet can reach PFsense. (Eg: ip route 0.0.0.0 0.0.0.0 pf.sense.ip.address) With this configuration PFsense is then only doing WAN routing any any other services you want (like DHCP, etc)

    I am not 100% sure yet whether to keep PFSense doing the inter-VLAN routing (basically router-on-a-stick) or just let my 3560G L3 switch do it.

    Why would you have the uplink port from the Cisco switch to PFSense set as a Layer 3 port?



  • Thanks Phil and RSTech!!

    RSTech, I started with a config similar as yours on my 3560, ip routing enabled, default route 0.0.0.0 0.0.0.0 (ip of pfsense), VLAN interfaces defined on the 3560, but my dilemma is DHCP.  I was using DHCP from pfsense, but after you define the VLANS, you have to add a VLAN interface with an IP Address to enable pfsense to distribute DHCP addresses to the proper VLAN.  What I would like it to have pfsense continue to distribute DHCP to each VLAN, but it has to have an interface defined to be able to do it.  Am I missing something because I am totally clueless, unless I have something internally configured wrong on the switch which is very very basic.



  • OK…

    I am officially frustrated with this.  I have attached my 3560 config for review.

    Here's what I have done...

    PFSENSE

    Removed all VLANs and VLAN interfaces except Wi-Fi (VLAN 132 Public Wi-Fi) and Router (VLAN 100).  The only interfaces are WAN, LAN (192.168.100.1), VLAN 132 192.168.132.1, VLAN 100 192.168.100.2.  I configured NAT by removing all outbound rules, saving, and choosing Manual, and all NAT rules look correct.

    Cisco 3560

    Added all VLANS and VLAN interfaces, enabled ip routing, and added route to 192.168.100.1, and tried 192.168.100.2.  No Internet access with either IP route.  Can't ping 8.8.8.8 from 3560.  Intervlan routing works great.  I can ping each host successfully.

    Now it's a matter of configuration.  I don't know if I need to add routes in PFSense to be able to route back to the 3560, or I have NAT or the FW rules wrong.  I have attached my 3560 config file.  Any help will be super appreciated.

    BenningsCoreSwitch-VLANS.txt



  • Seems odd that your pfSense has LAN 192.168.100.1/? and VLAN100 192.168.100.2/? - those are going to overlap.

    You need 1 "little linking" interface between the Cisco and pfSense - e.g. 192.168.100.1/24 on pfSense and 192.168.100.2/24 on Cisco.
    Then on pfSense add a gateway (System->Routing) to 192.168.100.2 but DO NOT go anywhere near Interfaces->LAN, DO NOT make it an Upstream gateway there.
    Add a static route/s on pfSense to tell it what subnets are reachable behind the Cisco at 192.168.100.2
    Make sure your firewall rules allow incoming traffic from all those subnets behind the Cisco.



  • Couple of things I would check. First you want to make sure all links are configured for encapsulation dot1q, by default they are ISL which will cause issues for your setup. If you want PfSense to do inter-vlan routing then you want to configure all trunk ports as dot1q. If you want your L3 switch to do all the inter-vlan routing then I would setup a p2p (/30) between pfsense and your routed port on your switch. Then create all the vlans and vlan interfaces on your switch. Create a default route in your switch to point towards switch. Make sure you create a rule on pfsense that allows all IPs on your LAN interface not just the LAN subnet. Also you will have to go into your out bound nat and manually add all the networks off the switch in the outbound nat rules. You will then have to add static routes on pfsense for all the subnets off your switch. If I were you I would run a dynamic routing protocol like rip between your 3560 and your pfsense. Finially if you want pfsense to do all the DHCP for all your VLANs you will have to use the IP Helper command in Cisco to tell your switch that the DHCP server for that network is on a different subnet. Take a look at this http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html

    So in short I would:

    1. Create a /30 between pfsense and 3560 (use no switchport command like you stated in your original post)
    2. Install routing package like routed so you can run rip on pfSense
    3. Change LAN firewall rule to allow All IP ranges (or a tleast the LAN subnet and the Nets you make on your 3560)
    4. create vlans and vlan interfaces on your 3560
    5. configure switch so that in runs RIP and run it on all your interfaces
    6. create a default route on your 3560 to point to pfsense
    7. configure pfsense Nat so that it will also nat all the nets off your Cisco Switch
    8. run the ip helper command on your vlan interfaces pointing to pfsense
    9. make sure you create your vlans on hp switch like you did on your cisco switch
    10. make sure switch is configured to use 802.1q trunk encapsulation and not ISL
    11. make sure your vlans are tagged on the HP side

    You should be good to go if I haven't forgot anything.



  • You can do this without RIP, it's far cleaner and more secure.  After disabling RIP, the trick is to add a return route from the pfsense box, back to the L3 switch.


Log in to reply