Pfsense and vlan on same subnet

itam1212

I'm working with a cisco SG300-52 and its set on L3 mode.

My pfsense LAN interface is set on:
192.168.1.1/24

on the cisco switch I have few VLANs configured, and the Cisco is also the default GW and the DHCP for the VLANs.

VLAN1 192.168.1.0/24    GW       192.168.1.254         DHCP Range  192.168.1.10-192.168.1.250
VLAN2 192.168.2.0/24    GW       192.168.2.254   
VLAN3  192.168.3.0/24   GW       192.168.3.254 

Is this a problem to have both the Firewall (192.168.1.1.)  and a VLAN port (192.168.1.254)  operate on the same subnet even though they do not conflict with the IP?
ideally I would like to have the pfsense box LAN set to 192.168.0.1 and the switch vlans 192.168.1.0/24 and on …

muswellhillbilly

Based on the information you've given here, I can't see anything specifically wrong with this. The only possible issue I can see is what route outbound your Cisco is using. Your VLANs are set to use the Cisco as their default gateway, but you haven't provided the routing table information for the switch. Presumably you can route traffic across each of the VLANs, but you would need to set the default route on the Cisco to point to your pfsense box, assuming this is your main firewall out to the internet.

johnpoz

Yeah if your going to have a downstream router, the connectivity to your upstream router should be via a transit network.  You need to also let pfsense know about these downstream networks and how to get to them via the IP of the cisco in the transit network.

itam1212

Thanks guys for the replies. I appreciate the help.

I ended up disabling the DHCP Pools on the Cisco SG300 L3 switch and created/serve DHCP Pools on the pfsense box.

I left intact the "IPv4 Interfaces" I created for my all my VLANs on the Cisco SG300

The pfsense machine has two WAN interfaces, set on static IP info received from ISP.
The Pfsense machine LAN IP interface is set on 192.168.1.1 and I have added the following VLAN interfaces:

VLAN2    192.168.2.0/24   
VLAN2    192.168.2.0/24
VLAN2    192.168.2.0/24
VLAN2    192.168.2.0/24
VLAN2    192.168.2.0/24

so now a device connected to relevant switch port will look like

VLAN1    192.168.1.0/24   (pfsense web) Subnet 255.255.255.0  GW  192.168.1.1     (Cisco still accessible via 192.168.1.254)
VLAN2    192.168.2.0/24   (pfsense web) Subnet 255.255.255.0  GW  192.168.2.1     (Cisco still accessible via 192.168.2.254)    
VLAN10  192.168.10.0/24 (pfsense web) Subnet 255.255.255.0  GW  192.168.10.1  (Cisco still accessible via 192.168.10.254)
VLAN20  192.168.20.0/24 (pfsense web) Subnet 255.255.255.0  GW  192.168.20.1  (Cisco still accessible via 192.168.20.254)
VLAN30  192.168.30.0/24 (pfsense web) Subnet 255.255.255.0  GW  192.168.30.1  (Cisco still accessible via 192.168.30.254)

I can see the traffic in my firewall logs and my NAT rules for couple tested devices worked fine after adding the NAT/firewall rules.

So my other questions are:

1. Do I still need the Cisco switch in L3 mode as now I have the pfsense as the VLANs Gateway? (and I assume it is suppose now to handle VLANs routing as the GW?)
2. Should I change the switch back to L2 with my setup?
3. Will I still be able to assign on the switch which physical ports belong to which VLAN in L2 mode?  (this is a 52 port switch I would need to use multi subnets on it.)

johnpoz

If you are not routing traffic through pfsense, then there is really little reason for L3 mode on your cisco..