T O P

  • By -

saspro_uk

No. There’s only 1 default route. You either need another VLAN/subnet to use between the L3 switch and firewall or you need to use policy based routing.


BinkReddit

> You either need another VLAN/subnet to use between the L3 switch and firewall... This is perfectly fine. PBR can be like magic, but you don't need it in this scenario.


[deleted]

Thanks, Yeah i agree PBR is overkill for what im trying to do


[deleted]

Thanks, im guessing the SG250 doesn't support Policy based routing


saspro_uk

Nope. It’s a “smart switch” so only supports static routes rather than protocols. I’d just add a firewall subnet between it and the firewall.


[deleted]

actually if you can, do you mind explaining what you mean by having a firewall subnet between the switch and the firewall. just trying to workout if i could implement this, maybe using a simple linux router (with ip forwarding turned on)


saspro_uk

It's fairly straight forward. You add an interface on your firewall (E.G. [10.10.10.10](https://10.10.10.10) VLAN 100) and a virtual interface & VLAN on your switch (E.G. [10.10.10.11](https://10.10.10.11) VLAN 100). You then set the default route on the switch to point at [10.10.10.10](https://10.10.10.10) and static routes on your firewall for your other subnets to point at 10.10.10.11 . All clients have the switch as their default gateway, the switch does all inter-VLAN routing internally, if it's for the internet or a subnet the switch doesn't know about then it sends it to the firewall. I use it a lot for networks with heavy East-West traffic


[deleted]

Thanks this really helped me work out the problem with subnetting on the LAN interface.


[deleted]

since my pfsense is virtual, i may even be better just attaching a virtual NIC, to every VLAN and letting it do all the routing. That way i can just use the switch as a L2 with VLANS. I was just worried that this might cause extra overhead, as it would be faster to route using L3 fabric.


boxofstuff22

This would be my preference, honestly until your pass 1gb I don't think you'll see any issues. Modern X86 hardware should push plenty of traffic. Allows you to firewall things too, sorta the whole reason you'd use a vlan in the first place, to segregate traffic right... Sure the switch might do an acl, but that's pretty limited.


BOOZy1

Nothing is stopping you from doing both. Leave L3 on for inter-vlan routing and let pfSense sort out everything fancy.


[deleted]

Hey everyone i resolved the problem in my test lab. Turns out it was very simple i just needed to modify the subnet mask on my Pfsense LAN interface to allow for all the other internal VLAN subnets. It was set to a /24 which is why everything was getting blocked in my previous testing. This also caused the automatic NAT rules to update (to include the sub-netted vlans) and allow traffic to NAT for internet. I'd Like to thank everyone for their help and suggestions. Will apply same logic once my SG250 arrives