When I initially set up Pfsense and knowing very little regarding it, most of the main LAN and Management was left on the default VLAN (1) and subsequently other VLANS were added.
Consequently, I ended up with Pfsense at 192.168.0.1, switches, APs and my main PCs & Management also in the 192.168.0.xxx subnet (VLAN 1, which is the default VLAN).
Other VLANs including 20, 30, 40, 50, 60, 70, 80 for various bits such as IOT etc were then later created and firewall rules added.
As I transition over to L3 routing these VLANs need moving to the L3 switch, only to find the Draytek switch I’m using only allows a max of 8 interfaces! This move will also require the creation of a transit VLAN for traffic from the switch to Pfsense, taking me right to the limit of 8 interfaces, not including the default VLAN.
I believe people generally do not use the default VLAN in Pfsense which would cause me to add a Management VLAN taking me over the max 8 interface limit, forcing me to combine a couple of VLANs which I could do if necessary.
Should I leave Pfsense, switches & APs on 192.168.0.xxx (default VLAN) and create a new VLAN for Management i.e. main PCs etc or move all from the default VLAN to a new one and not use the default VLAN at all? Not sure which is the recommended way to go here!
Are you saying leave the default VLAN (1) on Pfsense but will that not mean I will then need another VLAN (management) on the L3 switch to
handle the devices currently on VLAN 1 which will mean I exceed the max limit of 8 interfaces on the switch?
Ok, what I mean is that in Pfsense I have the default VLAN (1) set up with Pfsense, switches and my main PCs on 192.168.0.x and although these are statically addressed there is a DHCP server there for anything else that attaches to that VLAN.
giving a total number of VLANS with DHCP servers of 8.
Transferring to a Draytek L3 switch with a max number of VLAN interfaces of 8 gives me a problem as I will also need to add a ‘transit’ VLAN for L3 routing i.e. unknown traffic will get routed to Pfsense via the ‘transit’ VLAN via a static route. This gives a total of 9 VLANs which I cannot have, which can be got around by combining 2 of the VLANs - not ideal but can live with it for now.
However, having set up the L3 switch for the VLANs detailed above, the default one doesn’t appear to have an option for a DHCP server!
Consequently, when I set up a port so a device connects to the default VLAN (PVID 1) it fails to get an address. If I set it to any of the other VLANs (apart from ‘transit’) then it gets an IP address in the correct subnet according to the DHCP server.
So, is there usually an option to have a DHCP server on the default VLAN on a L3 switch? The switch I am using is the Draytek FX2120.
Alternatively, is the only other option to set the Pfsense, switches & APs as static (already done) on the default VLAN (1) and move my PCs etc to a new VLAN that has a DHCP server, although I will once again fall foul over the max 8 interfaces limit on the switch?
Currently I have the VLANs on the Pfsense but was hoping to go to L3 routing for when 10G arrives shortly and maintain line speed, hence the need to transfer the VLANs to the FX2120.
It is the number of interfaces that limited are limited to 8 on the FX2120 that will cause the issue I think.
So, basically I should leave well alone and live with pfsense doing the routing? Although if pfsense goes down the lot goes down ie. internal network stops also
If you’re concerned about router/firewall failure, you can do HA on a single WAN connection with the second pfSense box automatically taking over if the first one fails.
Interesting watch, so it looks like I would need 3 WAN static IP addresses instead of the one I currently have. Don’t that would be a problem with my current ISP. However, just to clarify, as I have currently 8 VLANS would I be able to use the 3 WAN IPs for each VLAN?
