PfSense and Layer3 switch routing with pfBlocker & OpenVPN
-
I currently use a pfSense box with Ubiquity Unify access points providing Guest, VPN and Unencrypted VLANS.
I also have a Intel x520 10 gigabit NIC installed too which has facilitated connecting my desktop and server with 10gig links.
I recently acquired a Cisco SG500x-24p layer3 switch due to the need to add some PoE ports to drive additional hotspots and security cameras and another 10gig interface to connect three 10 gig enabled devices.
I've been reading up on how to connect everything and wanted some advise on how to structure the network to keep the OpenVPN routing and pfBlocker functionality I utilise.
Am I correct in my understanding that if I create a router-on-a-stick setup with all the VLANS mapped across a 1 or 10gig link to pfsense, the pfsense box will still be doing all the routing basically using the cisco as a layer2 device. If I don't expose the different VLANS to the pfsense box, I don't know how I can select individual interfaces/VLANS to apply pfBlockerNG rules or selective routing via firewall rules to.I'd appreciate any guidance as to the pro's and con's of the different approaches.
thx in adv
-
Not sure I completely understand..
You will need to create VLAN interfaces on pfSense. Once you create the interfaces you can use assign them just as you would physical interfaces.
You can untag the traffic at the switch (given your switch has this feature) or you can untag at the devices, again, given the have this feature.
-
Thank you, I did some reading last night, My concern was the traffic intensive 10gig network between server and desktop would saturate the 'stick' to the router, however the ball dropped when I realised the routing pfSense would be doing was inter-vlan so as server and desktop are on the same VLAN, the cisco can switch traffic between the two and only route when needed for internet access.
I can run a 10gig link between pfsense and the cisco router so its a pretty thick stick compared to a single or LAGG'd 1g stick.
Again, thank you for taking the time to respond. -
My understanding is that unless something travels outside the subnet, the router never sees it.
-
@irj972:
Am I correct in my understanding that if I create a router-on-a-stick setup with all the VLANS mapped across a 1 or 10gig link to pfsense, the pfsense box will still be doing all the routing basically using the cisco as a layer2 device. If I don't expose the different VLANS to the pfsense box, I don't know how I can select individual interfaces/VLANS to apply pfBlockerNG rules or selective routing via firewall rules to.
It all comes down to who does the routing
-> you configure a GW for a subnet
If that IP belongs to an interface of pfSense, it will address pfSense for everything that is not in its subnet, and pfSense takes care of the routing (with or without NAT).
If that IP belongs to an SVI on your L3 switch, you will be doing intervlan routing by that switch. For subnets unknown to the switch, it will forward to its default route (or not, depending on your config)In the scenario of pfSense doing the routing; The pro is you have all control in pfSense. The con is that you will need cpu power to process packets.
In the scenario of your Cisco doing the routing: The pro is that routing is at wirespeed (HW assisted). The con is that all security between those routed subnets by the switch must be done in ACL's in the switch. Internet traffic is another story. Also a caveat is if dhcp is provided by pfSense, in its current form it cannot handle requests from non-local subnets.my 2 cents in a nutshell…
ps: A mixed scenario is perfectly possible...