pfSense in a L3 Network

We are in the process of upgrading a lot of our switching infrastructure. This includes adding in some layer 3 switching (we have audio and video over IP requirements). With the previous setup, we were the typical ubnt for switching and wireless access and then a netgate 5100 for the firewall. I’m completely new to the layer 3 switching stuff and quickly learning there are a lot of intricacies. Specifically, because we were running DNS and DHCP on our netgate box. Since reading though threads and such, with a layer 3 switch and pfsense, there isn’t much that pfsense can do when used with a layer 3 switch, am I correct? In which case, what are some options when it comes to DNS/DHCP servers that can serve some of the same functions that pfsense does? We are a mixed environment when it comes to computers used (Windows, Mac, and Linux) and we don’t have a need or a want to run a windows server for DNS/DHCP, lol!

So I guess, I’m really just looking for some suggestions and assistance with some of the services that will have to be implemented when we move to the layer 3 set up. We may also have to figure out our VPN solution as it was on the pfsense box as well.

Can any one familiar with layer 3 setups, confirm or correct some of this?

Zentyal Development edition can run your domain, this is the free version so just need a server or a VM. I’ve never used the DHCP server function of pfsense so no real comment, but I would guess you can set it up to have a DHCP server on each vlan. It definitely supports multiple vlans on a single connection.

If this is for a business, might be a nice idea to see what you need to buy this, but I think it is about the same price as a Windows Server license.

1 Like

Why are you looking for new DHCP/DNS options? You can set up a DHCP Relay/IP Helper on the switches and still have your pfsense box handle your DHCP duties. Work is pretty much 100% a cisco shop, but we still do DHCP/DNS on Windows servers. We setup an IP helper on the layer 3 switch for the network and that lets us use the DHCP server in another network.

I do the same at home actually even though I’m not running a layer 3 switch. I just setup pfsense to be a DHCP relay and it listens on each network and sends the DHCP requests off to my windows server.

Based on my somewhat limited understanding of how some of this could be set up, it would be limited in pfsense because you had to have networks/interfaces created in pfsense to utilize the dhcp server on pfsense on those networks. If we are routing vlans on the switch, but then also create those same interfaces on pfsense, doesn’t that cause issues and defeat the purpose of routing on the switch? Genuinely asking because this is new territory for us, lol.

My thought process was something like what is mentioned in this article. Creating a transit network between the switch and pfsense for traffic to get out to the internet. I assumed, by setting it up in that way, there would be no interface for 5-6 networks that would be routed on the switch and wouldn’t be able to setup dhcp pools because of that.

L3 swittching is in fact routing on your L3-capable switch if you enable it, to route traffic that you consider safe and because you need high bandwidth between some particular vlans for example. The rest of the routing should continue to be done by your gateway, as well as your different services like DHCP and DNS.

In the past, common network layout (in large companies at least) were like this:
ISP <–> external L3-switch (for BGP routing) <–> firewall <–> internal L3 switch (core) <–> internal L3 switch (distribution) <–> internal L2 switch (access). Also known as the 3-tier architecture (what Cisco taught every CCNA).

Nowaday, NGFW are so powerfull that they can assume the role of external L3, firewall and internal L3 core switch at the same time (known as the 2-tier network) and offer really high bandwith to route between vlans with firewall policy rules on top of that (whereas in the past you needed ACLs on the internal L3 switch to do that) and thus adding security to east-west traffic (inter-vlan traffic) on top of north-south traffic (traffic to/from the Internet).

1 Like

thanks for your insights