Basic help / step by step to convert home network to L3 / vlan routing

scp

Member
Aug 5, 2015
67
11
8
44
I hope I'm phrasing the question right. I've got a configuration in place right now, and I want to reconfigure, but the terms and concepts are confusing me a bit. I only sort of understand the concept and I'm trying to learn this stuff and apply it to my setup.

At the moment, my inter-VLAN traffic is running through my router. But I should really be running this through my switch, as I understand.

This is a home network with Fios internet service. PfSense router 1Gbe (C2558), HPE 2920 stack (x2) with (x2) 10Gbe modules.

Currently:
  • PfSense router that started with basic configuration.
    • I added multiple VLANs, mainly for additional IP ranges.
    • There are minimal firewall rules in place for one VLAN (IOT / cameras), but I allow traffic across VLANs regularly.
  • HPE 2920 stack using untagged Vlans. Port 1 connects to the PfSense router. Other than that, basic configuration. Running Aruba OS, but have worked with CLI a bit.
Questions
  • What steps should I go through to reconfigure this network with this as my starting point?
  • Does the HPE switch have to become my DHCP server and PfSense is no longer handling DHCP?
  • Does PfSense no longer have VLAN interface assignments?
  • I've heard mention of setting "static routes", but I don't understand at all what this means.
If anyone has a really basic guide or steps, that would be super helpful. This seems to get deep, fast, so I'm hoping to build on concepts and get my head around this.
 

Attachments

Last edited:

tinfoil3d

QSFP28
May 11, 2020
549
195
43
Japan
It's hard to see what you're trying to achieve. How is it that traffic goes thru router? If you have several UNtagged vlans and if they are somehow permitted to escape switch elsewhere they would look as same default vlan to all external devices therefore no filtering/segregation is achieved with this setup. Cheap ip cams dont have tagged vlan feature, that's right, and in general you should never let them see anything else than your management/NVR server. Just because they're full of backdoors and bugs. DHCP for those should also be NVR. So these ports should have dhcp snooping enabled, but still separated from seeing each other is a good idea too.

Maybe come up with some sort of network design outline so that it's easier to see how it looks like now and how do you want it to look?
 
  • Like
Reactions: RobstarUSA

scp

Member
Aug 5, 2015
67
11
8
44
It's hard to see what you're trying to achieve. How is it that traffic goes thru router? If you have several UNtagged vlans and if they are somehow permitted to escape switch elsewhere they would look as same default vlan to all external devices therefore no filtering/segregation is achieved with this setup. Cheap ip cams dont have tagged vlan feature, that's right, and in general you should never let them see anything else than your management/NVR server. Just because they're full of backdoors and bugs. DHCP for those should also be NVR. So these ports should have dhcp snooping enabled, but still separated from seeing each other is a good idea too.

Maybe come up with some sort of network design outline so that it's easier to see how it looks like now and how do you want it to look?
I'll add a diagram to original post. This could also be my own confusion creeping in. I was told this setup is wrong because any traffic that goes from one VLAN to another VLAN ends up going through my router instead of being handled by the switch.
 

tsteine

Active Member
May 15, 2019
124
62
28
I was told this setup is wrong because any traffic that goes from one VLAN to another VLAN ends up going through my router instead of being handled by the switch.
It should be noted that if you set up your switch to route traffic, firewall rules set up on the pfsense box will not be respected for vlans routed on the switch, so you will need to set up ACLs on the switch to block traffic between vlans as appropriate.

That being said, a sane configuration here would be to segregate 1/10/30/99 into separate vlans. With your current configuration as far as I can tell from the diagram, traffic on 1/30/99 is visible to all devices connected to untagged ports.

Questions:
1. You would need to set up vlans on the switch, then assign an IP to that vlan interface on the switch so that it acts as an L3 switch, capable of routing.

2. Not necessarily, you can set up DHCP relaying on the switch to relay dhcp requests to your pfsense router. You would need to set the router for the dhcp scope to point to the IP for the respective vlan on the switch, not pfsense.

3. if you set up your switch to act as a router, then it would not be necessary to have vlan interfaces on the pfsense box, since your switch would only need to send traffic bound for the internet to the pfsense box, while all intervlan traffic would be handled on the switch.

4. setting a static route means that you inform a router where traffic to a given subnet should be routed.
What you could do here is to give your pfsense the ip 192.168.0.1, then setup port a port on the switch to act as an ethernet interface with the IP 192.168.0.2
then set up a static route on the switch to send all traffic bound for 0.0.0.0/0 (basically this means all traffic) to 192.168.0.1
This would mean that all traffic the switch does not explicitly know the destination of always gets sent to the pfsense box for routing, while all routes the switch knows of would be sent to the appropriate subnet.


some config for illustration, though this is a Mellanox switch, not Aruba, so how your switch is to be configured may vary.

port 1/32 is configured to act as an ethernet interface with an IP, and is connected to a router which connects to the internet.
that router has static routes which sends traffic bound for the homelab to the ip configured on 1/32
while the switch routes everything bound for 0.0.0.0/0 via 10.0.1.1 which is the ip of the router connected to it.
1643023132400.png
Code:
##
## L3 configuration
##
   ip routing vrf default
   interface ethernet 1/32 no switchport force
   interface vlan 1
   interface vlan 2
   interface vlan 3
   interface vlan 4
   interface vlan 5
   interface ethernet 1/32 ip address 10.0.1.254/24 primary
   interface vlan 1 ip address 10.1.1.1/24 primary
   interface vlan 2 ip address 10.1.2.1/24 primary
   interface vlan 3 ip address 10.1.3.1/24 primary
   interface vlan 4 ip address 10.1.4.1/24 primary
   interface vlan 5 ip address 10.1.5.1/24 primary
   ip route vrf default 0.0.0.0/0 10.0.1.1



##
## DHCP relay configuration
##
   ip dhcp relay instance 1 vrf default
   ip dhcp relay instance 1 address 10.1.1.254
   interface vlan 2 ip dhcp relay instance 1 downstream
   interface vlan 3 ip dhcp relay instance 1 downstream
   interface vlan 4 ip dhcp relay instance 1 downstream
   interface vlan 5 ip dhcp relay instance 1 downstream
 

scp

Member
Aug 5, 2015
67
11
8
44
It should be noted that if you set up your switch to route traffic, firewall rules set up on the pfsense box will not be respected for vlans routed on the switch, so you will need to set up ACLs on the switch to block traffic between vlans as appropriate.

That being said, a sane configuration here would be to segregate 1/10/30/99 into separate vlans. With your current configuration as far as I can tell from the diagram, traffic on 1/30/99 is visible to all devices connected to untagged ports.

Questions:
1. You would need to set up vlans on the switch, then assign an IP to that vlan interface on the switch so that it acts as an L3 switch, capable of routing.

2. Not necessarily, you can set up DHCP relaying on the switch to relay dhcp requests to your pfsense router. You would need to set the router for the dhcp scope to point to the IP for the respective vlan on the switch, not pfsense.

3. if you set up your switch to act as a router, then it would not be necessary to have vlan interfaces on the pfsense box, since your switch would only need to send traffic bound for the internet to the pfsense box, while all intervlan traffic would be handled on the switch.

4. setting a static route means that you inform a router where traffic to a given subnet should be routed.
What you could do here is to give your pfsense the ip 192.168.0.1, then setup port a port on the switch to act as an ethernet interface with the IP 192.168.0.2
then set up a static route on the switch to send all traffic bound for 0.0.0.0/0 (basically this means all traffic) to 192.168.0.1
This would mean that all traffic the switch does not explicitly know the destination of always gets sent to the pfsense box for routing, while all routes the switch knows of would be sent to the appropriate subnet.


some config for illustration, though this is a Mellanox switch, not Aruba, so how your switch is to be configured may vary.

port 1/32 is configured to act as an ethernet interface with an IP, and is connected to a router which connects to the internet.
that router has static routes which sends traffic bound for the homelab to the ip configured on 1/32
while the switch routes everything bound for 0.0.0.0/0 via 10.0.1.1 which is the ip of the router connected to it.
View attachment 21290
Code:
##
## L3 configuration
##
   ip routing vrf default
   interface ethernet 1/32 no switchport force
   interface vlan 1
   interface vlan 2
   interface vlan 3
   interface vlan 4
   interface vlan 5
   interface ethernet 1/32 ip address 10.0.1.254/24 primary
   interface vlan 1 ip address 10.1.1.1/24 primary
   interface vlan 2 ip address 10.1.2.1/24 primary
   interface vlan 3 ip address 10.1.3.1/24 primary
   interface vlan 4 ip address 10.1.4.1/24 primary
   interface vlan 5 ip address 10.1.5.1/24 primary
   ip route vrf default 0.0.0.0/0 10.0.1.1



##
## DHCP relay configuration
##
   ip dhcp relay instance 1 vrf default
   ip dhcp relay instance 1 address 10.1.1.254
   interface vlan 2 ip dhcp relay instance 1 downstream
   interface vlan 3 ip dhcp relay instance 1 downstream
   interface vlan 4 ip dhcp relay instance 1 downstream
   interface vlan 5 ip dhcp relay instance 1 downstream
Oh, this helps a ton, thank you! That simplified it for me and I'm pretty sure I know how to configure everything you laid out, so I'll give it a shot. I think once I get the baseline routing done, I can work on the ACL rules bit by bit and get those dialed in.

Thanks again!
 
  • Like
Reactions: tsteine

RobstarUSA

Active Member
Sep 15, 2016
200
63
28
My rule of thumb (for my home network):

Anything low traffic/untrusted goes through my OPNSense box as default gateway with firewall rules
Anything that is internet exposed to incoming connections is the same way.
Both of the above 2 have "outbound by default" blocked, and no outbound by default to my local lan.

Anything that is high speed/trusted gets routed by the switch (eg: Lan vs storage vlans)