pfSense and firewall rules for 10G VLANs

bsodmike · November 12, 2019, 12:30pm

Hi all,

I am in the process of replacing my current router with a pfSense build and plan to wire the pfSense box as follows:

(WAN from ISP router) ----> pfSense ----- LAN + VLANS ---> Unifi 16 XG Switch (1)
                                                                  |
                                                                  /
                                   Unifi 16 XG Switch (2)  <------
                                                                  |
                                                                  /
                                   Unifi 16 XG Switch (3)  <------

I will be having VLANs passed down to 16XG Switches (2) & (3) from Switch (1). There will be firewall rules in pfSense regarding traffic across these VLANs.

For these connections to sustain 10G connectivity, doesn’t this mean the pfSense —> 16XG Switch (1) link needs to be a 10G link as well?

i.e. Any packets crossing Switch (2) to Switch (3), say from VLAN10 to VLAN 20 would need to make a round trip through the pfSense LAN interface right?

Thanks!

lawrencesystems · November 12, 2019, 12:55pm

Yes, this is the advantage of having a switch that supports layer 3 routing. The L3 for a switch means that it has routing capabilities. This means that ror intra-VLAN communication, it uses the MAC address table like a L2 switch and for extra-VLAN communication, it uses the IP routing table and will not need to make the round trip back to the pfsense.

bsodmike · November 12, 2019, 1:01pm

Fantastic! It also seems like the UniFi 16XG support layer 3 routing. This is exactly what I’m after!

oO.o · November 12, 2019, 3:20pm

Layer 3 switching means no firewall. It will route between vlans but it cannot filter since that requires layers 4 and 5.

bsodmike · November 12, 2019, 3:49pm

Does that mean cross-VLAN (or intra-VLAN) traffic that has firewall rules, needs to make a round-trip through the pfSense router itself (for layers 4/5)?

If so, this would mean that I would need a 10G NIC in the pfSense box. I guess, I’ll have to just try this and see hmm.

risk · November 12, 2019, 4:04pm

If you want to firewall traffic through pfSense, traffic will have to go through pfSense.

Otherwise, the gateway (default route) for these hosts becomes the IP on the switch, and the switch does routing instead of traffic going to pfSense for firewalling.

It’d be really nice if the switch was just a connection tracking accelerator… but it’s not.