Layer 3 Switch w/ PFSense

gregsachs

Active Member
Aug 14, 2018
318
87
28
Upon re-reading your post here, since I have 10GB devices on my LAN (NAS, Dell Server ESXi w VMs, two PC Computers) - and have not yet set anything up :

Would best practices for me be VLAN setup and intra-VLAN access to be done on the Brocade 7250? and then the PfSense box is acting only as Router, plus some pfsense packages like pfblockerng, Darkstat, Suricata. In this scenerio, where does DHCP Server run? pfsense or Brocade?
Do the 10gbe devices need to cross between vlans, or are they all on the same vlan?
If they need to cross, you want that to happen on the brocade, this would point you to the exit vlan approach. If all 10gbe traffic is on the same vlan, it doesn't matter which approach you use, as you don't need 10gbe to the router.
I'm not sure about the "right" dhcp answer; I've done it in the switch although with an Aruba, and with Opnsense. I found both of those hard to see the clients leases.
I most recently moved the vlans extended to the router, and do dhcp for each vlan on it. I found that simpler. That did not require doing dhcp relaying.
 
  • Like
Reactions: tommybackeast

tommybackeast

Active Member
Jun 10, 2018
251
82
28
Do the 10gbe devices need to cross between vlans, or are they all on the same vlan?
If they need to cross, you want that to happen on the brocade, this would point you to the exit vlan approach. If all 10gbe traffic is on the same vlan, it doesn't matter which approach you use, as you don't need 10gbe to the router.
I'm not sure about the "right" dhcp answer; I've done it in the switch although with an Aruba, and with Opnsense. I found both of those hard to see the clients leases.
I most recently moved the vlans extended to the router, and do dhcp for each vlan on it. I found that simpler. That did not require doing dhcp relaying.
I fully appreciate most posters on this board are your 'level of knowledge' and are not newbies like myself.

Bluntly, I understood only pieces of what you wrote (that's ok). I am not trying to become a CCNA :) I am now googling 'dhcp relaying' for no clue what that means, but now have a tiny sense of understanding it.

The more I learn, the more respect I have for IT Network Engineers - this shit is complicated and I hope you are all paid what you are worth in knowledge.

I know myself. I learn by 'doing' rather than just reading. I have a family situation that has me away from home for a short bit and I thank you for trying to teach me things. When I get home, I have a new pfsense box and new Brocade 7250 to setup. "Best Practices" is something I strive for along with good-security, knowing that is often a giant pain in the ass to setup.

Until I found some reading here on STH incl this thread I dumbly was thinking : pfsense does the DHCP Server, I make DHCP Reservations on pfsense based of MAC address, make up VLANS on pfsense; and then somehow the Brocade will do the intra-VLAN config. Never once did I consider or even know the Brocade can do DHCP Server, VLAN creation, etc and just let the pfsense box be the router with some packages like NUT running on it.

you wrote "I most recently moved the vlans extended to the router, and do dhcp for each vlan on it. "

Can you explain what VLANS EXTENDED TO THE ROUTER means? are you creating the VLANS on the pfsense box or on Brocade? (sorry for dumb question)
 

tommybackeast

Active Member
Jun 10, 2018
251
82
28
Do the 10gbe devices need to cross between vlans, or are they all on the same vlan?
If they need to cross, you want that to happen on the brocade, this would point you to the exit vlan approach. If all 10gbe traffic is on the same vlan, it doesn't matter which approach you use, as you don't need 10gbe to the router.
I'm not sure about the "right" dhcp answer; I've done it in the switch although with an Aruba, and with Opnsense. I found both of those hard to see the clients leases.
I most recently moved the vlans extended to the router, and do dhcp for each vlan on it. I found that simpler. That did not require doing dhcp relaying.
Let's see - if I made one LAN-VLAN: 10GB stuff on : two PC computers, Synology NAS, Dell Server running ESXi and another Synology NAS later this year.... if I put all that into one VLAN, I see no need for 10GB access from another VLAN.

Note 01: I do want to install OpenVPN on the pfsense router so from my cellphone I can run some Synology mobile apps which 'hits' the Synology NAS (however, the Synology NAS has four 1GB ports and I can dedicate one of those 4 1gb ports for OpenVPN if this makes life easier security wise).

Note 02: another human in the house, that I do not want on my LAN-VLAN , on their cell phone and ipad needs wifi access to the Synology NAS

Note 03: the TV Plex box (that I don't want on my LAN-VLAN) needs 1GB wired access to the Synology (again, the Synology has those 4 1GB ports available for this if need be).

I am already getting a sense of this being much more complex than expected; but already know the vast satisfaction I shall have when all done; and the learning process .

PS: Bottomline : I remain confused as to make the VLANs on the pfsense box or the Brocade; if I am understanding you correctly, I should use the Brocade : it's harder but better ??????????? (and just have pfsense box be the router)
 

itronin

Well-Known Member
Nov 24, 2018
420
256
63
Denver, Colorado
For DHCP in your proposed configurations:

1) you should be able to do it in the switch IIRC - the ICX7250 supports dhcp. If you are comfortable with the command line and/or following recipes you tube videos this may be the easiest path to get working and troubleshoot. This may be the cleanest/simplest solution (at least initially).

2) PFSense. (this has been stated previously) In order for this to work the firewall MUST have an active interface in each VLAN for which it will be serving addresses. That doesn't mean that you have to specify the PFsense box as the default gateway for the VLAN(s), however things will get messy as Internet inbound traffic will most certainly bypass the switch for these direct connected VLAN (ie. the outbound (from your perspective) traffic will not follow the inbound traffic. . If you are going to use a transit VLAN please don't use this option. Seriously. don't.

3) More advanced (don't go here yet, unless you are ready to learn a bunch) - , set up a server on one of your VLANS that will be your DHCP server using something like ISC DHCP and you can use the IP helper function in the switch to forward DHCP packets to that server. I mean no offense but there are some layer 2 and 3 concepts that I suspect you have not yet mastered that will need to be understood to go down this path.

my advice go with (1) above, learn how that functions and then look at doing (3) if you want to learn more.

Internet Access / VPN

I am not sure this was mentioned by anyone previously (because its kind of obvious to people who already know how) but in the context of using a transit/exit VLAN to your PFsense: a common mistake by people learning how to use a transit VLAN is to forget to specify in PFsense/firewall all the subnets that are being routed by the switch. In PFsense you can:

1) specify the routes statically (probably easiest), you can specify each subnet *or* if the subnets are contained within a supernet then simply specify the supernet.
2) More advanced - use a routing protocol like OSPF (please don't use RIP) to communicate between PFsense and the switch.
Conversely you can also use a routing protocol to pass the default gateway from PFsense down to the switch. This is the most flexible, you'll learn a bunch and down the road when you add 5 more VLANS (IoT, cams, kittens etc) the routes will start appearing.
 
Last edited:
  • Like
Reactions: gb00s

itronin

Well-Known Member
Nov 24, 2018
420
256
63
Denver, Colorado
PS: Bottomline : I remain confused as to make the VLANs on the pfsense box or the Brocade; if I am understanding you correctly, I should use the Brocade : it's harder but better ??????????? (and just have pfsense box be the router)
When using VLANS they will ALWAYS have to be created/managed on the switch at a minimum. This is true whether the VLAN is tagged or untagged.

If you use a transit/egress VLAN you DO NOT have to create tagged VLANS on pfsense. NB: You can if you want but it does not have to be configured that way. If you do not use tagged VLANS then note that the Interface to PFsense will need to be connected to an untagged switch port in the transit VLAN. (this is probably the simplest configuration when using a transit VLAN).

If you are using PFsense to do DHCP (and I recommend you don't) you will have to fit into one of the following scenarios.

1) No VLANS on PFsense means you have a physical interface on the PFSense system for EACH VLAN getting DHCP from PFsense plus 1 physical interface for your Internet connection. If you can't meet this requirement then you will have to implement Again each physical interface will have to be connected an untagged switch port in the appropriate VLAN.

2) Use tagged VLANS on a PFsense physical interface. (trunking). With this scenario VLANS will have to be configured BOTH in the switch and on the PFsense system.
 
Last edited:

bubsterboo

Member
Dec 15, 2019
36
11
8
Hey Guys,

I'm in the exact same situation. PFSense, Brocade 6450, Exploring VLANs and how to set everything up. I have some 10gb devices and would like 10gb routing to occur on the switch aswell.

I went down the path of making an interface for every vlan on pfsense and realised this wasn't going to do my inter-vlan routing fast enough... (Yes, theme of the thread).

To continue the discussion. Let's say I do DHCP on the l3 switch. My switch can do all my inter-vlan routing, the pfsense box has no interface in the vlan. How do you manage local DNS records?
PFSense will do static DHCP leases for you and make DNS records for the host names in those static leases automatically.
Is there any solution here that can link my DNS system to DHCP??? Or at this point am i having to host DHCP/DNS on a separate machine that's not PFSense or the L3 Switch to keep these features?
 
  • Like
Reactions: tommybackeast

fohdeesha

Kaini Industries
Nov 20, 2016
1,960
1,784
113
29
fohdeesha.com
I *highly* advise against using the dhcp server in fastiron, I had a few devices it just would not give leases to, a few others in the brocade thread had the same issue (the dhcp server is not set as authoritative, for one). Almost nobody in the target market uses dhcp servers built into switches (they use a proper separate server and dhcp relay), so I have a feeling the integrated dhcp server in fastiron was not exactly thoroughly tested. If you're dead set on setting up a bunch of vlans and need 10gbps+ between them, set up something like isc-dhcp in a vm or elsewhere
 

bubsterboo

Member
Dec 15, 2019
36
11
8
Thanks for the advice fohdeesha. I won't bother doing dhcp in fastiron.
Maybe dnsmasq would work for me as both the dhcp and dns server and appears to offer the dhcp updating dns features I want.
 

StammesOpfer

Active Member
Mar 15, 2016
382
126
43
Ok there is enough interest and I would like to put it out there that I would not recommend doing it this way... but it will work. It came up earlier in the thread but I'll lay it out a little more here.

pfSense as gateway to the internet.
pfSense with a trunk setup to the switch.
setup a vlan interface for each of you vlans on the trunked interface.

setup all your vlans on the switch
configure L3 routing on the switch with the switches default gateway being pfSense

make sure that the switch and pfsense interface in each vlan are not the same ip (common sense but I could see it happening)
setup DHCP like normal in pfSense except you are going to specify the default gateway as the switch IP (not pfSense)

pfSense can still handle DNS this way and will track all the leases as normal.

Why this works.
pfSense has an interface in every vlan so it knows about the IP space and can listen directly for DHCP requests.
all client devices when sending traffic will use the default gateway to route (the switch not pfSense) so internal traffic will route at 10Gbps

Why you shouldn't do it.
when traffic is going to the internet it will hit the switch then pfsense then the internet like we expect. However return traffic will hit pfSense and because pfSense has an interface directly connected to the subnet the traffic is destined for it will not route via the switch (the switch will be operating only at L2 not L3). This makes writing rules very weird and you have to keep track of how traffic is actually flowing.

DHCP helpers/relays/forwarders are designed to work in this environment and are the correct solution. You are already learning some tools so take the opportunity to learn how to use isc-dhcp or run DNS and DHCP on a Windows Server instance.
 
  • Like
Reactions: tommybackeast

klui

Active Member
Feb 3, 2019
176
73
28
I *highly* advise against using the dhcp server in fastiron, I had a few devices it just would not give leases to, a few others in the brocade thread had the same issue (the dhcp server is not set as authoritative, for one). Almost nobody in the target market uses dhcp servers built into switches (they use a proper separate server and dhcp relay), so I have a feeling the integrated dhcp server in fastiron was not exactly thoroughly tested. If you're dead set on setting up a bunch of vlans and need 10gbps+ between them, set up something like isc-dhcp in a vm or elsewhere
For those following here's the result of @fohdeesha's investigation: https://forums.servethehome.com/index.php?posts/206144/.

And the symptom: https://forums.servethehome.com/index.php?posts/198017/.

I don't recall reading about another issue with the DHCP server on the switches. I have personally experienced issues with a Juniper SRX getting leases as well. Worked fine under Windows notebook but had trouble for an interface that I defined in the SRX for a lab situation. For the production network I used the SRX instead of the 6610.
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,960
1,784
113
29
fohdeesha.com
Won't help anyone for a while, but looks like netgate is planning to integrate Kea-DHCP into pfsense 2.5. They already use it in TNSR. Admittedly, I am not certain whether this would even fix the issue at the heart of this thread.

Feature #6960: Consider replacing ISC DHCP server with KEA DHCP - pfSense - pfSense bugtracker
Who knows, as the issue is unrelated to the dhcp stack - isc-dhcp that pfsense uses has been able to serve multiple subnets over a single link for something like 15 years - in fact I would wager this is how 90% of isc-dhcp servers are configured. The pfsense devs just refuse to expose the functionality. No clue if they'll take the same stand with kea, but knowing Jim I won't be surprised if they do
 
Last edited:

PGlover

Active Member
Nov 8, 2014
470
55
28
54
With a layer 3 switch, the general recommendation is to either let the switch do DHCP duties (it can), or have a dedicated DHCP server that can handle VLANs (pfSense cannot, at this time...).

With a layer 3 switch, I prefer to let pfSense be a pure firewall appliance. Have a dedicated "transit" VLAN in your layer 3 switch connected to pfSense. As an e.g.

- You've created a VLAN on your layer 3 switch called TRANSIT, added a single port to it, enabled the virtual interface on it, and the IP is set to 192.168.2.2/xx
- The physical port from above is connected to a port on your pfSense box on let's say the OPT1 interface.
- In pfSense this interface (OPT1) is set to a static IP = 192.168.2.1/xx

At this point, from your console on the switch, you should be able to ping 192.168.2.1 and get a response back. The switch is talking to your pfSense box, but your pfSense box only understands traffic on the 192.168.2.x network.

Now, in pfSense you create a Gateway (System-->Routing-->Gateways). In the settings for the gateway:
- Interface should be OPT1
- Address Family - whatever, v4/v6
- Name - Something meaningful like ICX6610-1 etc
- The Gateway IP address should be what the layer 3 switch TRANSIT IP is. In my example, that would be 192.168.2.2

Now, we have a gateway defined, but pfSense still doesn't know what type of traffic to expect/handle. So, go into System-->Routing-->Static Routes and define one or more static routes. As an e.g.

- Click Add
- The Destination Network should be one or more of the VLAN IP ranges on the layer 3 switch. For e.g. 192.168.20.0/24 (The zero is important...)
- The Gateway should be set to the gateway we just defined, as an e.g. ICX6610-1.
- Give it some meaningful description.
- Save.

At this point, the pfSense box, knows where the 192.168.20.x/xx traffic is coming from and how to talk back to it. But wait...things are probably not working just yet.

That's because your layer 3 switch is not configured with a "default" route that is pointing to the pfSense box. So, add a default route of 0.0.0.0/xx and point it to 192.168.2.1 which is the pfSense box.

At this point, all your VLANS on the layer 3 switch should be able to talk to the switch, the pfSense box, the internet (if it's set up in pfSense) and vice versa. What's not working is DHCP and DNS...To solve that, there's many different strategies, and I'm not going to go into the details of them. In my case, I use a dedicated Windows server for both DHCP/DNS and in the layer 3 switch, for EACH virtual interface, an "ip-helper" is setup to point to this Windows box (There's more configuration to be done for DNS to work efficiently/correctly, but that's a different topic).

What this does, is that all routing is local to the layer 3 switch, and only external networks are routed to the pfSense box. All DHCP is handled at the switch level/dedicated server and not by pfSense. If you've setup DNS correctly, all DNS queries by any clients on any of the VLANS, go to the local DNS server and if the entry is not in the DNS cache, only then does it go outside the network.

My .02
Great writeup...

I have the Brocade ICX6610 Layer 3 switch. In your comment "You've created a VLAN on your layer 3 switch called TRANSIT, added a single port to it, enabled the virtual interface on it, and the IP is set to 192.168.2.2/xx" . Please verify the virtual interface command is "router-interface ve xx".

In addition, you would create other VLANs on the Layer 3 switch and virtual interfaces for each VLAN on the Layer 3 switch so that inter-vlan routing can occur on the Layer 3 switch.

So my question is what routing is done on the pfSense box? Is inter-vlan routing being done on the pfSense box as well?
 
  • Like
Reactions: tommybackeast

tommybackeast

Active Member
Jun 10, 2018
251
82
28
I *highly* advise against using the dhcp server in fastiron, I had a few devices it just would not give leases to, a few others in the brocade thread had the same issue (the dhcp server is not set as authoritative, for one). Almost nobody in the target market uses dhcp servers built into switches (they use a proper separate server and dhcp relay), so I have a feeling the integrated dhcp server in fastiron was not exactly thoroughly tested. If you're dead set on setting up a bunch of vlans and need 10gbps+ between them, set up something like isc-dhcp in a vm or elsewhere
questions pertaining to : (pfsense box + Brocade 7250 ) with nothing done yet, still planning.

For simple home network : if MAIN-VLAN contains all the 10GB devices - do you still suggest not doing DHCP Server on the Brocade?

Can you comment on doing DHCP Server on pfsense box, and Brocade for VLAN Config + Inter-VLAN setup ?

I never heard of isc-dhcp before your mention, but just glanced at it quickly. I have a Dell Server running ESXi so could make a isc-dhcp VM there (even though ESXi vSwitch confuses the hell out of me, lol).

you wrote you personally have had issues with DHCP Server running on Brocade : were you doing advanced "non-common" things that most of us would not; or; did Brocade DHCP Server fail for you trying to do a simple DHCP Reservation based off device MAC address?

PS: I must be wrong; but I could have sworn I read you say (maybe last year) to run DHCP Server not on pfSense box but on Brocade . /thanks
 

tommybackeast

Active Member
Jun 10, 2018
251
82
28
For those following here's the result of @fohdeesha's investigation: https://forums.servethehome.com/index.php?posts/206144/.

And the symptom: https://forums.servethehome.com/index.php?posts/198017/.

I don't recall reading about another issue with the DHCP server on the switches. I have personally experienced issues with a Juniper SRX getting leases as well. Worked fine under Windows notebook but had trouble for an interface that I defined in the SRX for a lab situation. For the production network I used the SRX instead of the 6610.
thanks for the URLs to read. as I ponder starting my Network Map and where/how to set things up.
 

tommybackeast

Active Member
Jun 10, 2018
251
82
28
DHCP helpers/relays/forwarders are designed to work in this environment and are the correct solution. You are already learning some tools so take the opportunity to learn how to use isc-dhcp or run DNS and DHCP on a Windows Server instance.
I'm just starting and have done nothing yet. Have a good CPU in a dedicated pfsense box; and Brocade 7250.

I was given a very old 1U SuperMicro with an ancient CPU (32bit), I have a legit copy of 32bit windows server 2012 or 2016 - if I ran Windows Server on this 32bit device, it could run DNS and DHCP right from within Windows Server OS? (I last used Windows Server 2003 when it was brand new, lol)

so if I had up a dedicated Windows Server box running; what else can be done on it besides DNS and DHCP? (that is not too complicated as i am a network noob) /thanks
 

StammesOpfer

Active Member
Mar 15, 2016
382
126
43
I'm just starting and have done nothing yet. Have a good CPU in a dedicated pfsense box; and Brocade 7250.

I was given a very old 1U SuperMicro with an ancient CPU (32bit), I have a legit copy of 32bit windows server 2012 or 2016 - if I ran Windows Server on this 32bit device, it could run DNS and DHCP right from within Windows Server OS? (I last used Windows Server 2003 when it was brand new, lol)

so if I had up a dedicated Windows Server box running; what else can be done on it besides DNS and DHCP? (that is not too complicated as i am a network noob) /thanks
The best answer is to install it and play with the "roles and features" that can be installed. Hardware that old is going to be a power hog just to be running a couple simple services and I can't imagine performance would be very good to do much of anything (assuming the CPU really is so old that it is 32bit only)
 
  • Like
Reactions: tommybackeast

kapone

Well-Known Member
May 23, 2015
796
388
63
Great writeup...

I have the Brocade ICX6610 Layer 3 switch. In your comment "You've created a VLAN on your layer 3 switch called TRANSIT, added a single port to it, enabled the virtual interface on it, and the IP is set to 192.168.2.2/xx" . Please verify the virtual interface command is "router-interface ve xx".

In addition, you would create other VLANs on the Layer 3 switch and virtual interfaces for each VLAN on the Layer 3 switch so that inter-vlan routing can occur on the Layer 3 switch.

So my question is what routing is done on the pfSense box? Is inter-vlan routing being done on the pfSense box as well?
Yes, the command for the virtual interfaces is what you said. I typically match my VE/VLAN naming convention to the IP space it's handling...

As an e.g.

vlan 2 name TRANSIT
<Add your tagged/untagged interfaces to it>
router-interface ve 2
<the command prompt will move to the ve level>
IP address 192.168.2.2/30

Explanation - In this case, I'm using the 192.168 address family and for this VLAN/VE I'm using the 192.168.2.x/30 address space, so I named my vlan/ve to 2 (no hard and fast rules about this). And as part of the IP address command 192.168.2.2/30 I'm setting the ve interface's gateway IP address to 192.168.2.2.

Note: the /30 mask means there are 4 available IP addresses in this space. In general, for point-to-point networks (which this case is, switch-to-pfsense, no other devices on the TRANSIT network), you want tiny address spaces.

Edit: To answer your question about routing, NO local routing is done on the PFSense box. Local traffic does not leave the layer 3 switch at all. The PFSense box is basically the next hop for a network (in this case the internet) that the layer 3 switch cannot handle.
 
  • Like
Reactions: tommybackeast

PGlover

Active Member
Nov 8, 2014
470
55
28
54
With a layer 3 switch, the general recommendation is to either let the switch do DHCP duties (it can), or have a dedicated DHCP server that can handle VLANs (pfSense cannot, at this time...).

With a layer 3 switch, I prefer to let pfSense be a pure firewall appliance. Have a dedicated "transit" VLAN in your layer 3 switch connected to pfSense. As an e.g.

- You've created a VLAN on your layer 3 switch called TRANSIT, added a single port to it, enabled the virtual interface on it, and the IP is set to 192.168.2.2/xx
- The physical port from above is connected to a port on your pfSense box on let's say the OPT1 interface.
- In pfSense this interface (OPT1) is set to a static IP = 192.168.2.1/xx

At this point, from your console on the switch, you should be able to ping 192.168.2.1 and get a response back. The switch is talking to your pfSense box, but your pfSense box only understands traffic on the 192.168.2.x network.

Now, in pfSense you create a Gateway (System-->Routing-->Gateways). In the settings for the gateway:
- Interface should be OPT1
- Address Family - whatever, v4/v6
- Name - Something meaningful like ICX6610-1 etc
- The Gateway IP address should be what the layer 3 switch TRANSIT IP is. In my example, that would be 192.168.2.2

Now, we have a gateway defined, but pfSense still doesn't know what type of traffic to expect/handle. So, go into System-->Routing-->Static Routes and define one or more static routes. As an e.g.

- Click Add
- The Destination Network should be one or more of the VLAN IP ranges on the layer 3 switch. For e.g. 192.168.20.0/24 (The zero is important...)
- The Gateway should be set to the gateway we just defined, as an e.g. ICX6610-1.
- Give it some meaningful description.
- Save.

At this point, the pfSense box, knows where the 192.168.20.x/xx traffic is coming from and how to talk back to it. But wait...things are probably not working just yet.

That's because your layer 3 switch is not configured with a "default" route that is pointing to the pfSense box. So, add a default route of 0.0.0.0/xx and point it to 192.168.2.1 which is the pfSense box.

At this point, all your VLANS on the layer 3 switch should be able to talk to the switch, the pfSense box, the internet (if it's set up in pfSense) and vice versa. What's not working is DHCP and DNS...To solve that, there's many different strategies, and I'm not going to go into the details of them. In my case, I use a dedicated Windows server for both DHCP/DNS and in the layer 3 switch, for EACH virtual interface, an "ip-helper" is setup to point to this Windows box (There's more configuration to be done for DNS to work efficiently/correctly, but that's a different topic).

What this does, is that all routing is local to the layer 3 switch, and only external networks are routed to the pfSense box. All DHCP is handled at the switch level/dedicated server and not by pfSense. If you've setup DNS correctly, all DNS queries by any clients on any of the VLANS, go to the local DNS server and if the entry is not in the DNS cache, only then does it go outside the network.

My .02
Just want to verify the pfSense steps. Can you please validate the pfSense steps below.

- Create a Gateway on the Transit Vlan interface
System -> Routing -> Gateways

- Create Static Routes for each of the Subnets/Vlans created on the Layer 3 Switch. The static routes will be based on the Gateway created in Step 1.
System -> Routing -> Static Routes

- Create Firewall rules for each of the Subnets/Vlans created on the Layer 3 Switch. The firewall rules will be created on the Transit Vlan interface and based on the Gateway created in Step 1.
Firewall -> Rules

- Make sure the Firewall Outbound NAT includes all Subnets/Vlans created on the Layer 3 Switch.
Firewall -> NAT -> Outbound
 

kapone

Well-Known Member
May 23, 2015
796
388
63
Just want to verify the pfSense steps. Can you please validate the pfSense steps below.

- Create a Gateway on the Transit Vlan interface
System -> Routing -> Gateways

- Create Static Routes for each of the Subnets/Vlans created on the Layer 3 Switch. The static routes will be based on the Gateway created in Step 1.
System -> Routing -> Static Routes

- Create Firewall rules for each of the Subnets/Vlans created on the Layer 3 Switch. The firewall rules will be created on the Transit Vlan interface and based on the Gateway created in Step 1.
Firewall -> Rules

- Make sure the Firewall Outbound NAT includes all Subnets/Vlans created on the Layer 3 Switch.
Firewall -> NAT -> Outbound
This has a lot more permutations/combinations than you realize... :) Just the first step...

- Create a Gateway on the Transit Vlan interface
System -> Routing -> Gateways
What vlan interface?? The TRANSIT interface doesn't have to be a VLAN on the PFSense side. How's pfSense connected to the TRANSIT interface? physical NIC, virtual NIC? How's the WAN terminated? To pfSense or to the layer 3 switch?