Installing pfSense with a layer 3 switch



  • @Derelict:

    But you indicated it was a default gateway of the workstation on your transit network (which is your entire problem - get your nodes off your transit network - either behind the L3 switch or on another pfSense interface.)

    Never mind. I now see the problem you pointed out.

    My initial setup does work pointing to the switch.


  • LAYER 8 Global Moderator

    "My initial setup does work pointing to the switch."

    And that is a BROKE setup plain and simple..  You have a asynchronous routing, as in my 2nd pic.  While it may work depending on your traffic flows and firewall rules and or setting to be less strict its BAD practice!!

    You should always avoid this sort of setup, along with avoiding any sort of hair pins where ever possible..  Sometimes you have to live with a hairpin when you allow traffic between vlans that are on the same physical nic.  But all vlans and or subinterface always remove overall performance of that nic..



  • Well I have tried /30 mask.  pfsense does not seem to talk to the switch.  I can not ping either way.

    pfsense–----------------------------------VLAN10----------------layer 3 switch
      192.168.10.1/30                                192.168.10.2/30

    The other networks and VLANs are on the switch untouched.  The only thing I did was change the LAN interface IP 192.168.10.1/30 and the switch VLAN 10 to 192.168.10.2/30.  Have you tried this with your SG300 switch?

    If I use the /24 mask all works. It even works with no other devices in VLAN10 other than pfsense and the layer 3 switch.

    I reinstalled pfsense and have the same problem.

    Now I have a problem on the new install with the resolver.  I think it was working on the first install.  The new install seems to have issues with my routed networks and DNS.  I turned off resolver and turned on the forwarder and all works.  I am going to keep looking.


  • LAYER 8 Global Moderator

    you could use a /8 for your transit network if you wanted.  As long as no end use devices are on the network then its a "transit" network.  /30 is just common since its only got 2 IPs.. A network that connects 2 or more routers is a transit network..  When you put devices on such a network and have different paths for how traffic goes to and from that device is when you have asynchronous routing. Which is BAD thing, especially when it comes to stateful firewalls like pfsense.  Clients don't always like the going to mac A, and coming back from mac B either..  Like I said its BAD and Broken setup..

    /29 is also common since you have 6 IPs and allow for hsrp on both sides of the transit with HA pairs with your routers with your physical IPs and VIPs on both sides..  You can use any sized network you want/need as your transit.

    As to have I done this with my sg300.. I do not have my sg300 currently in L3 mode - I have no reason for downstream networks in my home setup, while I have thought of it for performance since my pfsense is VM on some aging hardware. But yes I have done it when I was playing with the switch when I first got it an had it in L3 mode.  But this is something that that is done every single day in any network anywhere on the planet.  As stated this is basic IP routing.

    You clearly show a workstation on your 192.168.10 network, pointing to to your switch on that network, while the gateway off to the internet is pfsense on that same 192.168.10 network - that is NOT a transit network..  And if you just tried changing the mask to /30 you would only have 2 address in that network… So you could NOT have any workstations on it..



  • For home use I find separating  devices from my server and workstations works better.  I also have a music, LAN and guest network. I have 3 wireless APs with 2 common SSIDs one for LAN and one for guest to allow roaming and they support my network by putting the user in the guest VLAN or the LAN VLAN based on logon.

    How all this started is a friend brought over a broken laptop for me to fix and it infected my music server which I had spent weeks putting CDs on.  I now have a music VLAN separate from all others.  This prompted me to build a guest VLAN.  I still needed to share printers and certain video stuff which friends bring over.  So I needed ACLs to share these devices to my guest network and my multi VLAN network was born using IP networks.


  • LAYER 8 Global Moderator

    I have multiple vlans and physical networks - agreed this is a good setup even for a home.  But I just let pfsense be my firewall/router between all my segments.  I have no need for a L3 switch in my home network.. Pfsense is more than capable or routing the traffic..  If I really needed the full gig between segments I would update my hardware vs running L3 downstream and loosing my firewall between the segments.

    My pfsense vm running on a old HP N40L can do 400-500mbps between the segments..  Which is good enough for my wifi that is for sure.. My workstation on the same segment as the stuff I work do..  The stuff on the other segments would never need to make sure they have full 1gig routed/firewalled… Internet is only 80mbps for gosh sake...

    My guest wifi is completely isolated, if you want to get on my normal wifi, that is still isolated from my other networks you need eap-tls setup..  I completely get the use and commend proper network segmentation and firewalls in a home setup..

    But if I was going to use a downstream router, I sure and the hell would not set up asynchronous routing - nor would I hairpin connections ;)


  • LAYER 8 Netgate

    I wouldn't use a layer 3 switch for that. Or at least for the segments you really want to lock down like the guest network.

    This is basic IP routing, bro. Only you can decide how you want your network topology laid out. You can have some networks on the layer 3 switch, relying on whatever its packet filtering capabilities are and some networks on pfSense using its full stateful firewall capabilities. You can have some VLANs with SVIs on the switch and some without SVIs for which pfSense provides all the Layer 3 services. It's really up to you.

    But you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.

    Well I have tried /30 mask.  pfsense does not seem to talk to the switch.  I can not ping either way.

    Then you did it wrong, plain and simple. Post details of what you have actually done, not what you think you've done because it's not what you think you've done or it would be working.


  • LAYER 8 Global Moderator

    you really can't put hosts on the same network that connects the two routers unless you want to maintain routing tables on those hosts.

    Exactly!!!! Very cleanly stated…


  • LAYER 8 Netgate

    I've been meaning to do this one for a while:




  • I use pfsense for a fast router firewall NAT device.  I like the idea of snort.

    I want to keep all my VLAN networks on the switch.  When I create VLANs I always assign an IP network to each VLAN.  ACLs provide enough control for me and my network.  I  have 3 Cisco WAP321 which dumps users into a guess network or a LAN network.  This works great for me. I am able to feed multiple VLANs to one router VLAN on the layer3 switch to feed the router. The SG300-28 has a 17 GIG backplane so it can run faster than any internet connection I would have.  I only have a 300megabit connection.  I just want the fastest firewall I can run on the front door to the internet.  pfSense is on the table now.

    I am not saying pfsense has a problem with a /30 mask. It could be the SG300-28 switch.  It is why I asked johpoz whether he had tried it as he owns an Cisco SG300 switch also.  I have posted a question on the Cisco small business web site to ask if there is an issue.

    I took a working pfsense router 192.168.10.1/24 mask plugged into a router VLAN on the SG200-28 switch defined with a /24 mask. It was working and is my current config I am using.  I changed the VLAN IP to 192.168.10.2/30 on the switch and I changed the default route to 192.168.10.2/30 also. I then ran 2 on the console for pfsense to change the LAN IP to 192.168.10.1/30.  I could not ping from the switch using ping on the switch to pfsense.  I could not ping from pfsense to the switch.  The switch port used is an access port defined to the router VLAN. It is the same port used for the /24 mask which works.  This sounds basic so I was looking for confirmation from john since he recommended using a /30 mask on this thread.


  • LAYER 8 Netgate

    Neither the Cisco SG nor pfSense has any problems with a /30 netmask. Guaran-effing-teed. You did something wrong.

    And it doesn't matter one bit what netmask you use. All that matters is that there are no hosts on the transit network that you expect to route properly unless you maintain a proper routing table on that host.



  • The net mask does make a difference.  It works with a /24 mask and does not work with /30 mask.  I do not run any clients in my router VLAN.  The idea of the router VLAN is to isolate from the broadcast domain, default VLAN, Windows chatter, etc. I do not want the router waiting for any local traffic not destined for the internet.


  • LAYER 8 Netgate

    Dude. You did something wrong. No way the Cisco or pfSense has a problem with /30. If it was /31 maybe. /30 no way. Look at your config again.



  • When I have another free evening.  I spent about 5 hours going over everything.  I even reinstalled pfsense.


  • LAYER 8 Netgate

    Chasing ghosts. And that was after changing the netmask on both ends from /29 to /30 - no reboots just change and apply.

    ![Screen Shot 2016-01-31 at 4.25.48 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.48 PM.png)
    ![Screen Shot 2016-01-31 at 4.25.48 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.48 PM.png_thumb)
    ![Screen Shot 2016-01-31 at 4.25.38 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.38 PM.png)
    ![Screen Shot 2016-01-31 at 4.25.38 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.25.38 PM.png_thumb)
    ![Screen Shot 2016-01-31 at 4.27.39 PM.png](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.27.39 PM.png)
    ![Screen Shot 2016-01-31 at 4.27.39 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-01-31 at 4.27.39 PM.png_thumb)



  • You need to be changing the LAN side em1 not em0.  This means all your local networks are routed on the LAN side. And you need static routes for all local traffic. I guess it could be an alias.


  • LAYER 8 Netgate

    em0 is my LAN side. Neither device has a problem with /30, regardless.



  • Sounds good.  I don't know why they will not link up with /30 mask for me.  It works with a /24 mask so there is not a rush.


  • LAYER 8 Global Moderator

    You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.

    The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..



  • @johnpoz:

    You can use whatever mask you want for the transit - the point is there can be no clients on the transit or you will end up with problems unless you create host routes on them for the networks in 2 different directions.

    The fact that you think a /30 is a problem for these devices is beyond nonsense.. As derelict said you did something wrong..

    The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

    The question about the /30 mask can be answered by you since you have one of these SG300 switches.  Just set it up.  Please post the config on the SG300 and I will compare it to mine.


  • LAYER 8 Netgate

    Pertinent parts.

    vlan database
    vlan 1000,2000

    ip dhcp server
    ip dhcp pool network TEST_LAYER3
    address low 172.28.1.65 high 172.28.1.254 255.255.255.0
    default-router 172.28.1.1
    dns-server 192.168.223.1
    exit

    interface vlan 1000
    name TRANSIT
    ip address 192.168.230.2 255.255.255.252
    !

    interface vlan 2000
    name TEST_LAYER3
    ip address 172.28.1.1 255.255.255.0
    !

    interface gigabitethernet46
    description ROUTER_LAN
    switchport mode general
    switchport general allowed vlan add 1000 tagged
    switchport general acceptable-frame-type tagged-only
    !

    Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

    Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.


  • LAYER 8 Netgate

    @coxhaus:

    The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

    That's what management VLANs are for.



  • @Derelict:

    Pertinent parts.

    vlan database
    vlan 1000,2000

    ip dhcp server
    ip dhcp pool network TEST_LAYER3
    address low 172.28.1.65 high 172.28.1.254 255.255.255.0
    default-router 172.28.1.1
    dns-server 192.168.223.1
    exit

    interface vlan 1000
    name TRANSIT
    ip address 192.168.230.2 255.255.255.252
    !

    interface vlan 2000
    name TEST_LAYER3
    ip address 172.28.1.1 255.255.255.0
    !

    interface gigabitethernet46
    description ROUTER_LAN
    switchport mode general
    switchport general allowed vlan add 1000 tagged
    switchport general acceptable-frame-type tagged-only
    !

    Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

    Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

    I think I have found at least one difference my switch port is defined as an access port. The idea was to keep all the routing on the L3 switch.  The port adds the tags as data comes in and strips tags as data flows out.


  • LAYER 8 Netgate

    If you're only doing one VLAN between pfSense and the switch an access port is fine but you can't define the VLANs on pfSense - it has to just be emX, not vlan X on emX.

    When talking to a managed switch I always tag it even if it's only one so you can add a vlan without screwing up what's already working.



  • @Derelict:

    Pertinent parts.

    vlan database
    vlan 1000,2000

    ip dhcp server
    ip dhcp pool network TEST_LAYER3
    address low 172.28.1.65 high 172.28.1.254 255.255.255.0
    default-router 172.28.1.1
    dns-server 192.168.223.1
    exit

    interface vlan 1000
    name TRANSIT
    ip address 192.168.230.2 255.255.255.252
    !

    interface vlan 2000
    name TEST_LAYER3
    ip address 172.28.1.1 255.255.255.0
    !

    interface gigabitethernet46
    description ROUTER_LAN
    switchport mode general
    switchport general allowed vlan add 1000 tagged
    switchport general acceptable-frame-type tagged-only
    !

    Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

    Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

    I´ve followed this discussion with great interest since I have a similar SG300 layer 3 setup as Coxhaus and have just started to look into replacing my Linksys LRT224 router with a pfSense firewall.

    When using a transit network for the routing between the switch and the firewall as in your nice example, I guess there must be a separate management interface/IP address used for logging into the pfSense Web GUI?



  • @Derelict:

    @coxhaus:

    The /24 mask is more convenient so if you need to change the gateway to the static routes you can plug in a machine and make the change.  With a /30 mask there basically is no access to pfsense if something happens to your routing other than console from what I see.

    That's what management VLANs are for.

    I´m totally new to pfSense and am collecting information on how to set it up and administer it. Is the default management VLAN in pfSense VLAN 1 and is the IP address configured for the LAN interface the address of the management VLAN?


  • LAYER 8 Netgate

    All interfaces in pfSense are untagged by default, with WAN configured to obtain an address via DHCP and LAN as 192.168.1.1 with an active DHCP server starting at .100. You should really start another thread with a specific question. Doesn't sound like this has much to do with this one.



  • @Derelict:

    Pertinent parts.

    vlan database
    vlan 1000,2000

    ip dhcp server
    ip dhcp pool network TEST_LAYER3
    address low 172.28.1.65 high 172.28.1.254 255.255.255.0
    default-router 172.28.1.1
    dns-server 192.168.223.1
    exit

    interface vlan 1000
    name TRANSIT
    ip address 192.168.230.2 255.255.255.252
    !

    interface vlan 2000
    name TEST_LAYER3
    ip address 172.28.1.1 255.255.255.0
    !

    interface gigabitethernet46
    description ROUTER_LAN
    switchport mode general
    switchport general allowed vlan add 1000 tagged
    switchport general acceptable-frame-type tagged-only
    !

    Not a lot to it. On pfSense I just created interface TRANSIT on vlan1000 as 192.168.230.1/30, a gateway for 192.168.230.2, and a static route for 172.28.0.0/16 to the gateway.

    Then I passed ICMP any source any dest TRANSIT address on the TRANSIT interface. Could ping across in both directions and from a host on vlan 2000.

    Did you define a default route on the L3 switch pointing to 192.168.230.1, or isn´t this necessary?


  • LAYER 8 Netgate

    Yes if you want all traffic without a better route to go to 192.168.230.1.



  • @Derelict:

    All interfaces in pfSense are untagged by default, with WAN configured to obtain an address via DHCP and LAN as 192.168.1.1 with an active DHCP server starting at .100. You should really start another thread with a specific question. Doesn't sound like this has much to do with this one.

    Well, Coxhaus asked the same question, how to access/manage the pfSense other than the console when setup with a /30 address and you said "That's what management VLANs are for.".

    I take your point and will start a new thread with specific questions when I start setting up pfSense with my SG300 L3 switch.


  • LAYER 8 Netgate

    Out-of-band management of your firewall gets tricky. Cisco ASAs have the same problem. It would be really nice to have an interface that, by default, wasn't in the firewall's main routing table and wasn't accessible via the other normal interfaces, yet listened on ssh and webgui.

    I would settle for forcing management interfaces (ssh, webgui, snmp, etc) to only listen on a specific interface's IP address.

    As it is you have to create a VLAN interface. It will also be listening on management services.
    Block access to all management ports/addresses on unfriendly interfaces.


  • LAYER 8 Global Moderator

    What does the transit network size have to do with management??

    You do understand you can get to the webgui or ssh on any IP in pfsense as long as your rules allow it.  Even from the wan side if you allow it via rules.



  • @johnpoz:

    What does the transit network size have to do with management??

    Obviously nothing.

    You do understand you can get to the webgui or ssh on any IP in pfsense as long as your rules allow it.  Even from the wan side if you allow it via rules.

    I did not know and that is why I asked. I understand now that you´ve explained it. I´m totally new to pfSense and have just started to read the documentation and information found on the forum.

    I´m well aware that silly questions from n00bs like me might irritate expert users like yourself. You understand, we all have to start somewhere.  ;)


  • LAYER 8 Global Moderator

    Silly questions do not irritate me that is for sure, what can get frustrating is the same questions over and over and over and over again..  Without searching for the information yourself before asking ;)

    But even whne the questions are "silly" I still answer them or point to where they are answered… So ask away your questions..  That is what we are here for.


  • LAYER 8 Netgate

    People think this stuff is easy. And it is with a grasp of everything in the ISO model.



  • @johnpoz:

    Silly questions do not irritate me that is for sure, what can get frustrating is the same questions over and over and over and over again..  Without searching for the information yourself before asking ;)

    But even whne the questions are "silly" I still answer them or point to where they are answered… So ask away your questions..  That is what we are here for.

    Thank you very much, sir. I really appreciate the great effort and help expert users like yourself and Derelict provide in the community forum.

    Coxhaus and myself are both old farts. I´m 70 and retarded .. sorry retired  ;D and unlike Coxhaus who I believe worked professionally with Cisco stuff in the old days, I just started with setting up a home network based on separate components (SG300-10, SG200-08, Cisco WAP371, Linksys LRT214) a few months ago. It´s the LRT214 I´m planning to replace with a pfSense firewall.

    I´m moving in to a new 90 m2 apartment in a couple of months where I´ll put my home network in production. For sure I would do just fine with a small consumer router (Asus, Netgear etc.) or even the ISP provided one. I´m doing all this for fun, it´s an excellent pensionist exercise.  :)


  • LAYER 8 Global Moderator

    Consumer router?  Whats the fun in that ;) hehehe and they all pretty much suck anyway..

    With the use of pfsense, some smart switches and a real AP your on your way to very stable and robust network with lots of room for learning and play..

    More than happy to help anyone learn no matter the age, I myself am no spring chicken anymore at 51..  Been in IT for 30+ years..  Before there was even tcp/ip hehehe.. We use to use ipx/spx, remember changing from old thinnet/thicknet cable to UTP… Rocking cat 3 ;) what a project that was..  Having to add the tcp stack to the windows 3.1 boxes running on 486 with math co processor installed...  We were on the bleeding edge of tech heheeh ;)



  • oletuv after you get your pfsense setup with your Cisco layer 3 switch you will want to supply NTP from pfsense to your switch for time.  It seems to work real well.



  • @coxhaus:

    oletuv after you get your pfsense setup with your Cisco layer 3 switch you will want to supply NTP from pfsense to your switch for time.  It seems to work real well.

    Hi Cox,

    Nice to see you on the forums again!

    Thanks for the tip. I think I´ll setup a pfSense box in a couple of months, after moving in to my new apartment. :)

    Ole



  • Before there was even tcp/ip hehehe.. We use to use ipx/spx, remember changing from old thinnet/thicknet cable to UTP… Rocking cat 3 ;) what a project that was..  Having to add the tcp stack to the windows 3.1 boxes running on 486 with math co processor installed...

    Oh gawd, the days of "expensive" ISA NIC cards with undocumented IRQ dependencies - plug in a local LPT printer and the network goes down (shudder)….


Log in to reply