Move routing off pfSense to L3 switch?

Discussion in 'Networking' started by IamSpartacus, Apr 26, 2016.

  1. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,925
    Likes Received:
    414
    Now that I've upgraded to a L3 switch (X1052) with 10Gb capabilities I've been contemplating whether not I should continue to have my pfSense firewall do all my inter-VLAN routing or should I move those duties over to my L3 switch. I'm mainly concerned about maximizing the performance of my VMware cluster VLANs (VM Networks, vSAN, vMotion, etc.).

    Having pfSense manage all my VLANs is my preferred way because I can manage all the firewall rules easily that way but I also don't want to have an extra unnecessary hope for all the traffic on my cluster. Having to have all traffic hit my firewall over a 1Gb port doesn't seem like the most efficient setup.

    Thoughts?
     
    #1
  2. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    It all depends on the type and volume of traffic that crosses between VLANs.

    If your VLANs are reasonably isolated and independent with limited traffic between them then leave it on the pfSense box. You have better control and reporting there than you do on the L3 switch.

    If, however, there is a lot of traffic crossing between VLANS - high bandwidth, lots of PPS or latency sensitive traffic - then you'd be better off routing it on the L3 switch. For example, if you have a file server on one VLAN and the clients of that FS on another then the pfSense box becomes a bottleneck and you should do it locally.

    Adding some esthetic comments and perhaps value judgements, if you find the pfSense box to be a bottleneck then you've likely done the VLAN design wrong. VLAN should be used to isolate things that are, in fact, isolated.

    Sent from my SM-G925V using Tapatalk
     
    #2
  3. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,925
    Likes Received:
    414
    Well, things like vSAN, vMotion, FT/HA are indeed completely isolated so I don't need to worry about routing those VLANs. However you brought up file servers. Are you saying it's not good practice to have your clients on a different VLAN then your servers (in this case media server)?
     
    #3
  4. PigLover

    PigLover Moderator

    Joined:
    Jan 26, 2011
    Messages:
    2,771
    Likes Received:
    1,114
    I think, in general, your clients performance is highly dependent on performance of the network they use to access the servers. As always, the correct approach is depends on application requirements. But in general the clients should be on the same VLAN as the servers they depend upon. Even the L3 routing in your switch will add latency and could limit throughput. And the common file sharing protocols (NFS & SMB) are highly latency sensitive.

    That does not prevent the severs from also being connected privately on a second interface/VLAN for performance and/or security isolation.

    Sent from my SM-G925V using Tapatalk
     
    #4
  5. whitey

    whitey Moderator

    Joined:
    Jun 30, 2014
    Messages:
    2,762
    Likes Received:
    857
    Most often data plane service in a virtualization env such as IP based stg, vMotion, sVMotion, FT, vSAN, etc. would be done over L2 switching/vlan's...no need for L3, now your mgmt traffic may very well go over a routed L3 FW conn if you set it up that way but all the other traffic is typically contained on a L2 switch/stack on seperate vlan's providing blazing fast 10G conn's ideally for these typoes of virt data plane traffic that chew up throughput.
     
    #5
  6. IamSpartacus

    IamSpartacus Well-Known Member

    Joined:
    Mar 14, 2016
    Messages:
    1,925
    Likes Received:
    414
    I decided against moving things of pfSense. Instead I added a LAGG group between pfSense and my switch for fault tolerance and defined my VLANs on both pfSense (x.x.x.1) and my switch (x.x.x.2).
     
    #6
  7. sth

    sth Active Member

    Joined:
    Oct 29, 2015
    Messages:
    249
    Likes Received:
    37
    I added a 10gb card to pfsense to increase the trunk capacity rather than create a LAGG group. Intel x520/x540 available eBay cheaply and work with net map and suricate if thats your thing. http://info.iet.unipi.it/~luigi/netmap/
     
    #7
Similar Threads: Move routing
Forum Title Date
Networking How to remove heatsink on Intel X520-DA2? Jan 27, 2018
Networking KVM/KVMoverIP recommendations Nov 15, 2015
Networking 10gbit routing Jul 19, 2019
Networking gnodal - qinq problem / gnodal prepared for OSPF - ROUTING? Dec 12, 2018
Networking LB6M (brocade firmware) Trouble Routing Vlans Jul 13, 2018

Share This Page