Layer 3 switching

Technophile · December 20, 2024, 3:44am

We have Unifi switches where I work and a pfSense firewall. We’ve debated turning on layer 3 switching in Unifi in hopes of having less traffic traversing across the network, but we’re unsure what that would end up meaning for the pfSense firewall routing though. Anyone have any insight?

LTS_Tom · December 20, 2024, 10:26am

I prefer to keep everything going through pfsense so I can have one place to control all my traffic.

Darin755 · December 29, 2024, 6:36pm

Maybe you should step back for a second. Why are you wanting to do layer 3 switching on the switch instead of the Firewall?

Technophile · December 29, 2024, 7:56pm

The thought is that it would be more performant. Summarised in this screenshot after I just did a search for “should you do layer 3 at the switch level versus at the firewall”:

xMAXIMUSx · December 29, 2024, 10:22pm

Well. You have 2 option.

You might get a performance boost which might not be that significant if you do your routing at the switch. And deal with routing on the switch, which will render pfsense useless.
Use pfsense and not worry about it. If you need more horse power then get a bigger netgate.

Me personally I like to use a firewall rather than using the switches to manage rules. Everything is in one spot. And less likely to make mistakes.

Darin755 · March 18, 2025, 7:16pm

Routing speed will be limited to the interface on the Firewall. If you want high performance get a Firewall with a fast interface.

For fastest performance put devices in the same broadcast domain.

RandomDevOpsGuy · March 28, 2025, 11:33pm

Any idea how it would work in a full Unifi setup? Like a UDM Pro Max instead of the pfSense. Would it play nicer since the L3 switching might be controlled and settings distributed via the Unifi controller?

Andne · March 29, 2025, 4:19pm

I have a UniFi Layer 3 switch doing some internal routing between VLANs, and then an OPNsense (similar enough to pfSense) firewall handling edge duties. The biggest piece is that you have to make sure the devices are aware of the networks behind each other. With UniFi, they have some fairly strict (but thankfully documented) requirements for how to configure your router/firewall to be visible to the switches as the next hop (https://help.ui.com/hc/en-us/articles/360042281174-Layer-3-Routing). The less obvious part is that you have to also configure the router/firewall to know that the switch is the next hop for your networks. In my case I use a static route configuration, and while I think there are protocols that make this more automatic, I’ve never tried them. There is a separate VLAN/subnet used for the traffic between the switch and the router, and as you can see from the docs, UniFi is very opinionated on what that network should be.

I was able to simplify my configuration some by defining that my network would all fit within a single /19 (I use part of the 172.0.0.0/12 private range) and then each individual subnet is a specific /24 within that /19. This means that I only have to configure one static route on the edge router/firewall so that it can find all of the internal devices. One catch with UniFi is that you cannot assign the IP of the switch, it appears to just assign them in order that a layer 3 network is configured on a switch, so determining that next hop can be slightly annoying. The docs imply that this is more automatic with a UniFi router. The switch IPs on that routing VLAN do appear to be very consistent for a given device however, I initial learned mine by looking at the router’s MAC tables. For reasons, I do happen to have a different /24 on a different switch (I actually have 2 switches performing layer 3 duties) as well, but that /24 is not within the same /19, so it’s simply a separate static route on the OPNsense box.

ACL support (switches only use stateless ACLs, not a stateful firewall) in UniFi is a bit lacking compared to other switch manufacturers I’ve used in the past. While it does work well for isolating VLANs from each other, it gets harder if you need to punch specific holes for specific ports. One example would be if you’re using a DHCP relay, access to the DHCP server itself or to a DNS server only in a specific VLAN. Generally speaking, you’d probably be best off with either dedicated nodes in each VLAN for such responsibilities, or a VLAN that everything else can access. Or just don’t create any ACLs and let all devices talk to each other.

A big caveat, as I and another member here learned (there’s a whole thread here on this one), UniFi Layer 3 switching sometimes has issues. I have good luck with their Enterprise hardware, but when I had a ProMax switch for a bit, it was having severe issues. UniFi does appear to have found the bug in their software and fixed those issues in a beta release, but it took weeks of back and forth with them (and an RMA in the meantime) before they figured that out.

And yes, this is probably all overcomplicated for my home network, but what else am I supposed to experiment and learn on?