L3 switch + pfsense, can't get to the internet?



  • I recently purchased an inexpensive L3 switch which I've managed to configure all the VLANs on the switch, and connected it to pfsense. The internal IP of pfsense is 10.0.100.1. I created a LAN gateway in pfsense of 10.0.100.2 and set a static route to route anything 10.0.20.0/24 (VLAN20 on the switch) to 10.0.100.2 (switch's IP). However, if I connect myself to VLAN20, I am unable to get to the internet.

    I am able to ping pfsense from within the VLAN, and pfsense is able to ping the switch IP, VLAN20's gateway 10.0.20.1, and even the PC connected to the VLAN 10.0.20.10.

    My guess is I did not configure something to route internet traffic from WAN back to the switch then to 10.0.20.10, but I thought that's what I configured the static route for? What exactly am I missing?

    Diagram: http://www.gliffy.com/go/publish/image/10061835/L.png

    pfsense Settings: http://imgur.com/a/vMAQY


  • Netgate

    That gliffy seems to indicate the pfSense interface is 10.0.100.0/16. If that is the case it is wrong it should be /24.

    However, if I connect myself to VLAN20, I am unable to get to the internet.

    Probably need more information about what "unable get to the internet" means.  Could be DNS, NAT, Routes.


  • Rebel Alliance Global Moderator

    /16 yeah that seems wrong..  Also when using downstream router(s) you really need to connect this to pfsense via a transit network… Not a network you will have devices on..  Or you going to run into asynchronous routing issues.

    See example attached.  But yes your firewall rules for that transit interface would have to all for your downstream networks.  Your outbound nat would have to account for them.  And you would have to create a route in pfsense to get to your downstream networks via the transit network IP of that router.

    Is there really no doc on this yet?  Seems to come up quite a bit..  Could prob throw something together..  Its such basic information, which is why it prob has not been documented - yet more and more this seems to come up..



  • There are several things happening here:

    • Assuming you did not make a typo on the LAN subnet in your diagram, you will need to re-do your subnets slightly and make some changes:

      • Your transit network (listed as 10.0.100.0/16) is entirely too large.  Also, as currently configured, your transit network is actually 10.0.0.0/16 right now.  Narrow it down to at least a /24 (you can go as narrow as /30).

      • How dug in are you on VLAN100?  The path of least resistance with the least amount of changes would be simply changing the subnet of VLAN100.  Or you can keep VLAN100 and modify your transit network.  Another option if you want to keep your IP scheme consistent, is to remove VLAN100 and create a different VLAN (e.g. VLAN90 - 10.0.90.0/24)

    • Even though you stated that you created a LAN gateway of 10.0.100.2,  your screen shot shows that you actually created a LAN gateway of 10.0.100.1, which is incorrect, but moot anyway because it wasn't going to work regardless because of your transit network being too wide.  Your LAN gateway IP should be the routed port on your switch.

    • Once you have your subnets figured out, verify that there is a default route on your switch pointing back to PFsense

    • Finally, add static routes for the rest of your subnets

    At this point, assuming you have your DHCP server handing out the VLAN IP as the default gateway for each VLAN, all should be working.  This is exactly how I have my network configured.