[SOLVED] - Unable to ping pfSense / Internet from a VLAN behind a L3 switch.



  • Hi,
    Here is my setup:

    The router/firewall is pfSense and the Layer 3 switch is a HP v1910-24g.

    Machines on VLAN 10-50 can all ping each other and their default gateway. There is a static route on the L3 switch: 0.0.0.0 0.0.0.0 172.16.99.1. I am unable to ping 172.16.99.1 or any IP on the Internet like 8.8.8.8. While reading other posts on the forum, there have been number of posts where users have suggested to create the needed routing / firewall rules. I believe that is what is missing. However, I am not sure what specific rules to create. If anyone can offer an example, I would appreciate it. For example: Create a WAN rule OR a LAN rule like so…...

    If there is anything else that I am missing or if there is any other info I can provide, please let me know. Thanks and Cheers.


  • Netgate

    You need to create a gateway in pfSense with the address of the L3 Switch and create static routes for all the networks behind the L3 switch using the L3 Switch as the gateway.

    You also need rules on your transit network that allow traffic sourced from all the networks on the L3 switch into the firewall.

    Automatic outbound NAT should pick up the static route(s) and add the necessary NAT rules - but you should check anyway.

    I am unsure why you are using networks like 10, 15, 20. Thinking in binary makes a lot more sense. If you know you will never need more than a /24 on any of these I would use something more like:

    172.30.192.0/24
    172.30.193.0/24

    172.30.207.0/24

    Then you could summarize them all with one route in pfSense and one firewall rule using 172.30.192.0/20.

    You could just summarize as 172.16.0.0/16 but the smaller (longer?) you keep your internal routes the less likely it is that you will ever conflict with another network in a VPN situation forcing one party or the other or both to renumber.



  • As far as IP addresses go, I just picked them because they were "pretty" - nice even numbers. However, I see the point you raised and it definitely makes sense.

    You need to create a gateway in pfSense with the address of the L3 Switch and create static routes for all the networks behind the L3 switch using the L3 Switch as the gateway.

    When creating the gateway, I am assuming that the Interface needs to be LAN? Once created, do I need to make any other config changes to ensure that the new gateway is being used?

    You also need rules on your transit network that allow traffic sourced from all the networks on the L3 switch into the firewall.

    Won't the static route on the L3 switch move all traffic that do not belong on any of the VLANs to pfSense via the TRANSIT VLAN? I am not sure I understand. What about the traffic coming from WAN? How will that go to the VLANs?


  • Netgate

    When pfSense has a packet for 172.16.15.67 it does not have a route for it so it will send it out the default gateway. It needs to be told to send it to the switch instead. This is done with a gateway and a static route.

    If LAN is your transit network then yes, the gateway needs to be on LAN.

    When traffic arrives on 172.16.99.1 (pfSense interface) it has to be passed to be allowed into the firewall. If the rules on that interface limit source addresses to LAN net or similar then it will not match the networks behind the L3 switch and the traffic will be blocked.



  • You, my friend, are a genius. I have only been busting my brains trying to get this silly thing to work for the past 3 weeks. I really appreciate it. Thanks a lot.

    Summary:

    Steps performed on pfSense:

    • Create a Gateway - Go to System | Routing | Gateways. In my case, I set the interface to LAN and the Gateway to the IP of the L3 switch (172.16.99.2)
    • Create a Static Route - Go to System | Routing | Routes. Set the destination network to 172.30.0.0/20 and Gateway to the one created above
    • Create a Firewall Rule - Go to Firewall | Rules | LAN. Create a new rule. Set source = 172.30.0.0/20; Port = *; Destination = *; Port = *

    Steps performed on my L3 switch:

    • Create the VLANs
    • Create the VLANs Interfaces using the 172.30.x.x subnets (172.30.x to 172.30.14.x range)
    • Create a static route 0.0.0.0 0.0.0.0 172.16.99.1

  • Netgate

    • Create a static route 0.0.0.0 0.0.0.0 172.16.99.2

    I think that is supposed to be 172.16.99.1. You might want to edit it for posterity. :)