[SOLVED] Network Setup with L3 Switches

  • Good Day,

    I'm quite new to pfSense and firewalls. On our production environment I am planning to deploy a pfSense as our core router/firewall using the setup below. pfSense won't handle the InterVlan routing on our internal network I'll let our L3 switch do that. (Refer to the diagram and IP allocations below)

    CLASS A IPs = Used it for Management and Router Interfaces
    CLASS B IPs = Used it for Servers/Middlewares
    CLASS C IPs = Used it for End-Devices

    VLAN 20 (workstations) =
    VLAN 40 (internal servers) =
    pfSense LAN Interface =
    InternalNetwork Core/Dist Switch =
    pfSense DMZ Interface =
    DMZ Switch =
    DMZ Network =

    Please enlighten me with the ff:

    • Considering that our Internal Network Core/Dist Switch will be connected on my pfSense's LAN Interface, and I need to have a web filtering on our workstation VLAN, will squid in transparent mode work?

    • Will I encounter NAT issues or any other issues you can think of on my DMZ Network?

    • I'll be using ACLs on my internal L3 switch to control accesses between VLANs since the traffic from those VLAN might not reach my pfSense when routing intervlan. However, will I encounter any issue when creating firewall rules from my internal network to DMZ network or vice versa due to being not directly connected on my pfSense interface?

    I am also open for suggestions regarding my network setup.

    Thank You! Thank You!  ;D

  • LAYER 8 Global Moderator

    Nice to see your using transit, normally this is a big fail in the setup ;)

    You will need to create routes in pfsense to these downstream networks.
    You will need to create aliases or use networks that include your downstream networks when you do your firewall rules.
    You will need to make sure your outbound nat nats your downstream networks to your wan IP.

    I don't see why squid wouldn't with downstream networks.  Not sure of any configuration changes that might be needed in it, other than for sure it will need to know your downstream networks for ACLs, etc..

  • @johnpoz:

    Nice to see your using transit, normally this is a big fail in the setup ;)

    By transit, do you mean the /30 network I am planning to implement between the connection of my pfSense and L3 Switches? And why is it a big fail in the setup? Please enlighten me.  :)

    Thank You!

  • LAYER 8 Netgate

    He's saying not using transit networks is fail.

  • LAYER 8 Global Moderator

    Your setup is correct with the use of the transit /30

    See quite often just using a normal segment and connecting the downstream router via an interface that clients are on - so you end up with asynchronous routing issues.

  • Marking this topic as solved.

    I've already deployed my pfSense to our production environment. I am currently monitoring its stability. I did not encounter any issues with the setup I made, thanks for enlightening me.  ;D