L3 switch with VLANs to pfsense question



  • I am trying to configure my network with a L3 switch with multiple VLANs on it. The current pfsense gateway is 10.7.10.1. The subnets are 10.0.10.x, 10.0.20.x, 10.0.50.x etc. I tested having 2 VMs connected to the switch and on VLAN 10, and they can ping each other just fine. My question now is, how can I configure it so that each VLAN is able to talk to their own gateway for each subnet, 10.0.10.1 for instance, then get out to the internet (or not). And also, how do I configure things so I can control which VLAN is able to talk to the other.

    PS: I plan to redo my IPs to just 10.0.x.x, but I need to validate the setup before I overhaul everything.



  • I run a L3 switch behind my pfSense. I am not sure what info you are looking for. For all the VLAN networks being routed by the L3 switch and not directly connected to the pfSense box you need a routing statement on pfsense for each network.  You also need to open the firewall to permit out bound traffic from these networks.  You are working with 2 routers so since the L3 switch is routing 3 VLANs those VLANs need to be controlled on the L3 switch for intervlan routing.  Use ACLs to control access on the L3 switch.


  • Rebel Alliance Global Moderator

    "I plan to redo my IPs to just 10.0.x.x"

    Meaning what exactly, that your transit network between your L3 switch and pfsense will be 10.0.x.x/??

    As coxhaus mentions if your using a L3 switch and you want to control connectivity between your vlans on that switch, that is done at the switch level..  If you need to control connectivity between your vlans, then you need to connect all your vlans to pfsense directly and not have a downstream router.



  • @johnpoz:

    "I plan to redo my IPs to just 10.0.x.x"

    Meaning what exactly, that your transit network between your L3 switch and pfsense will be 10.0.x.x/??

    As coxhaus mentions if your using a L3 switch and you want to control connectivity between your vlans on that switch, that is done at the switch level..  If you need to control connectivity between your vlans, then you need to connect all your vlans to pfsense directly and not have a downstream router.

    I believe what they are trying to say is if you want to route traffic between the VLANS and specify what VLAN can talk to what, it would be best to do that on one device and one device only. In this instance you are probably better off with using pfSense to route all your traffic between your VLANs so you can set firewall rules between them to limit traffic. Just create your IPs on the pfSense at like .1 and set the SVIs on the switch to .2 for each VLAN.

    If you you want to use your L3 switch for routing, you will have to use switch ACLs to limit traffic which are not as robust as what you would get using your pfSense box. In this configuration all the pfSense would be doing is acting as a gateway to the Internet and all traffic for all VLANs would be going through 1 VLAN to get to the pfSense just to get outside.

    Some examples of switch commands would be used on a Cisco switch… Just FYI..

    Here are 2 examples:

    Example #1 - Using pfSense as router/firewall - Best option IMHO

    Int VLAN 10 on pfSense - 10.0.10.1 /24
    Int VLAN 20 on pfSense - 10.0.20.1 /24
    Int VLAN 30 on pfSense - 10.0.30.1 /24

    Default gateway for VLAN 10  - 10.0.10.1
    Default gateway for VLAN 20  - 10.0.20.1
    Default gateway for VLAN 30  - 10.0.30.1

    Switch SVIs for each VLAN
    Int VLAN 10 on L3 SW - 10.0.10.2 /24
    Int VLAN 20 on L3 SW - 10.0.20.2 /24
    Int VLAN 30 on L3 SW - 10.0.30.2 /24

    Each VLAN on the switch has a layer 3 interface. That way you can manage the switch from any VLAN regardless of any firewall rules. The switch doesn't even need the IPs for each VLAN, since it is not doing any routing. Feel free to only add IPs to the VLANs you wish to manage the switch on e.g. if you have a vlan that is more secure, only use that VLAN to manage the switch. You can manage the whole switch and all VLANS on the switch from the one VLAN.

    It will look like this.... Let's say you only need SSH access to the switch on VLAN 10....

    Switch SVIs for each VLAN
    Int VLAN 10 on L3 SW - 10.0.10.2 /24
    Int VLAN 20 on L3 SW - none
    Int VLAN 30 on L3 SW - none

    You would then need to deny SSH to 10.0.10.2 from VLAN 20 and 30.

    With this setup clients will be able to talk between VLANs (firewall rules configured allowing/restricting what you want) and get on the internet.

    Example #2 - Using L3 SW as a router and pfSense as router/firewall for internet traffic

    Switch SVIs for each VLAN
    Int VLAN 10 on L3 SW - 10.0.10.1 /24
    Int VLAN 20 on L3 SW - 10.0.20.1 /24
    Int VLAN 30 on L3 SW - 10.0.30.1 /24

    Default gateway for VLAN 10  - 10.0.10.1
    Default gateway for VLAN 20  - 10.0.20.1
    Default gateway for VLAN 30  - 10.0.30.1

    Int VLAN 10 on pfSense - 10.0.10.2 /24
    Int VLAN 20 on pfSense - 10.0.20.2 /24 - See below
    Int VLAN 30 on pfSense - 10.0.30.2 /24 - Probably not needed - but could maybe configured this way.... cause the pfSense needs to know about them in order to have rules for them... Drawing a blank here.... Someone will answer/explain.. I'm super tired right now... :) :(  coxhaus briefly touches this topic with

    @coxhaus:

    For all the VLAN networks being routed by the L3 switch and not directly connected to the pfSense box you need a routing statement on pfsense for each network.  You also need to open the firewall to permit out bound traffic from these networks.  You are working with 2 routers so since the L3 switch is routing 3 VLANs those VLANs need to be controlled on the L3 switch for intervlan routing.  Use ACLs to control access on the L3 switch.

    I just realized that what coxhaus is talking about is exactly what is needed to make the above work with some tweaking to what I mentioned, but I just don't know how to do it on pfSense.

    Each VLAN on the switch has a layer 3 interface. Since IP routing is turned on the switch, and each VLAN is directly connected to the switch, the switch will know how to route between VLANs. There will not be any filtering or rules that take place, unless configured on the switch via ACLs. You will need to create a default route to the Internet for the switch to use. Let's say you want to use VLAN 10 for all other VLANs to access the internet.

    You will need to put on your switch "ip route 0.0.0.0 0.0.0.0 10.0.10.2" - Gateway of last resort. :)

    So now if a pc @ 10.0.30.5 wants to talk to Google (8.8.8.8 ) it's going to go to 10.0.30.1 –--> 10.0.10.1 ----> 10.0.10.2 ----> ISP ----> Google

    I might have made a few mistakes in my explanation, but it should be a step in the right direction. Hopefully its easy to follow, makes sense what I'm trying to say, and I didn't confuse you. I'm running a Cisco L3 switch at home with Multiple VLANs. I am configured like example 1 (switch is being used just like a layer 2 switch...no routing going on here... just on pfSense and it's working great.)

    Good luck!!!



  • Using an L3 switch and pfsense is easy.  You setup the switch and VLANs for all local traffic and routing of local traffic.  You then add an extra VLAN I call a router VLAN which will connect to pfsense.  I use an /24 mask but the only 2 devices in this network are pfsense and the switch IP for the router VLAN.  Create a default route on the switch which points to pfsense.  Pfsense is just used for internet traffic.  You need to create routes on pfsense to point to all VLANs on the L3 switch which of course will point to the switch's router VLAN IP address.  You then need to create firewall rules to allow for all the network VLANs on the L3 switch.  I think that covers it.  pfsense will also provide NTP to your L3 switch.