Yes it does.pfsense does not need a VLAN for DHCP to work.
Yes it does.pfsense does not need a VLAN for DHCP to work.
I defined no VLANs on my pfsense. It may default to VLAN1 but I did not define it. And when I connect my VLAN 10 on my L3 switch it talks to pfsense fine. So I think there really is no VLAN defined. When I change from a 24 bit mask to a 30 bit mask I pulled DHCP on pfsense and used static IPs. I started with a full class C network and pfsense recommended I move over to a 30 bit mask.Yes it does.
"Talking" is...not what we're talking about here, are we? We're talking about pfSense being the DHCP server for a LAN/VLAN, for which it has NO defined interface. That's not going to happen (at present).I defined no VLANs on my pfsense. It may default to VLAN1 but I did not define it. And when I connect my VLAN 10 on my L3 switch it talks to pfsense fine. So I think there really is no VLAN defined.
There is a defined interface. It is the NIC on pfsense on the LAN side where you assign an IP address. Besides don't use DHCP on pfsense as I stated above."Talking" is...not what we're talking about here, are we? We're talking about pfSense being the DHCP server for a LAN/VLAN, for which it has NO defined interface. That's not going to happen (at present).
Maybe I interpreted it wrong, but that's not quite what I understood from your statement.pfsense does not need a VLAN for DHCP to work. In the past you could define DHCP for 1 network without a VLAN. I think the less information in your firewall device the better. I use static IPs in my router LAN network to my L3 switch.
Well I would be happy to be proven wrong if pfSense can indeed provide dhcp for multiple networks, such as all the vlans only defined on your L3 switch, while pfSense only has a single transit interface defined in it's settings?pfsense does not need a VLAN for DHCP to work. In the past you could define DHCP for 1 network without a VLAN. I think the less information in your firewall device the better. I use static IPs in my router LAN network to my L3 switch.
You are totally right: pfSence DHCP server won't handle the task except if I add the VLAN interfaces in pfSense or if I connect physical interfaces. I went with option 2.Does the cisco sg350x that @phil9878 denotes in his network diagram have a dhcp server up to the task of his network plan?
Thank you again....You also need to add ACLs for the gateways to allow internet access as pfsense blocks all traffic other than pfsense traffic.
...pfsense gateways will point to the IP address on the L3 switch which connects to pfsense.
To define pfsense and a L3 switch together use example, 192.168.10.1/30 pfsense and 192.168.10.2/30 L3 switch. The mask would be 255.255.255.252. On the L3 switch side create a VLAN 10 and assign an IP of 192.168.10.2 255.255.255.252. Then on the L3 switch assign the default route, some may have default gateway, 192.168.10.1 which is pfsense's LAN interface. Assign a port to VLAN 10 and connect a CAT5e cable from the assigned port to the LAN port on pfsense.
There is a thread on L3 switches on pfsense forums as I wrote all that I did to make pfsense work with a Cisco L3 switch.
You do need a static route from pfsense to the L3 switch. There is no static route pointing to pfsense as default route or default gateway points to pfsense which takes care of the forwarding for unknown traffic. And by default, pfsense blocks all traffic except for pfsense traffic which would be directly connected networks so you need ACLs for L3 networks that are not directly connected to pfsense.In my diagram, as I understand it:
- Switch SG350X doing all the interVLAN routing (10.0.10.254) would need for each VLAN a static route pointing to the SG350 (10.0.20.254)
- Switch SG350 (10.0.20.254) would need for each VLAN a static route pointing to pfSense (10.0.20.1)
- pfSense will need gateways pointing to the SG350 (10.0.20.254) for each interface + ACL/NAT rules to allow internet traffic for each of the subnets I guess
sigh There is no "Sounds like". It is a fact (covered previously in this thread #24 and many times elsewhere). If you want to use PFsense for DHCP in a specific vlan then PFsense MUST have an interface in that vlan. If you decide to use your L3 switch make darn sure that it really and correctly implements DHCP including all the options you may need (check bug reports, user experiences etc.) OR you may find yourself chasing down rabbit holes needlesslySounds like pfsense only supports directly connected networks for DHCP. You need an L3 switch for DHCP or maybe Microsoft DHCP.
Yes, the Sg350x L3 switch does have a DHCP server. It is not as robust as Microsoft's DHCP server. It does have what I need for home. I like Microsoft's better but I have turned off my server rack.Well I would be happy to be proven wrong if pfSense can indeed provide dhcp for multiple networks, such as all the vlans only defined on your L3 switch, while pfSense only has a single transit interface defined in it's settings?
I think we may be talking about slightly different scenarios. If your L3 switch has a well implemented dhcp server then this is obviously a viable route to take wITH only have a single TRANSIT connection defined in pfSense/opnsense and no vlan. That is not an option for many of us here, including the OP of this thread, that use brocade L3 icx switches as the Ruckus/brocade dhcp server implementation is not authoritative and won’t suffice as many connected devices fail to obtain a dhcp address from them.
Does the cisco sg350x that @phil9878 denotes in his network diagram have a dhcp server up to the task of his network plan?
I have said this many many times in many threads like this.My main question is now: do my setup have any real asymmetric routing since no devices can take different routes for return traffic. So, as long as I am aware of it, I could use it until I can afford a dedicated DHCP server.
Is it really unsafe to run this way in my case because of asymmetric routing I am not aware of ?
That asymmetric routing seems to be one of John's favorite terms. I would not worry about it. I ran with what he called asymmetric routing and I saw no issues. I don't think your diagram is right for L3 switching. So, I think you kind of need to decide if you are going to do L3 switching or L2 switching. I hang L2 switches off my L3 switch but I don't let my router do local routing. I save my router for internet traffic only.My main question is now: do my setup have any real asymmetric routing since no devices can take different routes for return traffic. So, as long as I am aware of it, I could use it until I can afford a dedicated DHCP server.
Is it really unsafe to run this way in my case because of asymmetric routing I am not aware of ?
I agree with all of this.I have said this many many times in many threads like this.
Start SIMPLE.
- Question your need for two separate switches. Why do you need two? The answer may be yes, but make sure you understand WHY you're using two switches.
- Start with one switch, forget DHCP/DNS/pfSense. Configure any and all VLANs on it and test using IP addresses only. Is the switch doing inter-vlan routing correctly?
- Start with the second switch, COMPLETELY disconnected from the first switch. Repeat the test above.
- Now decide, how are these two switches going to connect together? Again, forget DHCP/DNS/pfSense. Can a device on one VLAN on switch 1 talk correctly to a device on a VLAN on switch 2?
If the answers/tests to all of these are correct, now we address the rest of the issues.
- Forget pfSense, let's address DHCP and DNS.
- How and what will be your DHCP/DNS server for both of these interconnected switches?
- If the answer is well...that's what I was hoping pfSense will do...then...you have absolutely NO choice. You MUST have individual interfaces in pfSense that represent each VLAN on BOTH switches AND you need to configure pfSense correctly so that it has static gateways and static routes to send traffic back to each switch. This is not easy or straightforward.
My advice? Think real hard as to why you're using two switches.
Yes, I have no choice. The locations in my diagram are hardwired and all cabling reaches the SG350 switch. I only have two hardwires reaching the SG350X server and the setup there needs to be 10 Gb. The desktop in reality is in the same location as the SG350 and uses a hard wired direct to the SG350X.My advice? Think real hard as to why you're using two switches.