What's new

Using pfSense with a L3 core switch

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I was looking and it seems like my Cisco 150ax APs support the Cisco Dashboard as well. I may be able to tie all the hardware into one view. I ran Cisco's Findit software way back when, before I turned off my rack and I had no servers to run it on. If I start using my Windows 11 workstation as my NAS maybe I can tie in Cisco Dashboard. I don't know enough to do it right now, but maybe.
 
I have been running resolver for several weeks maybe a month but recently it has developed a pause running resolver using Microsoft's default web page. I do use DNSSEC with QUAD9. It was working faster when I first tested it.
I switched back to DNS forwarding and it is not as fast but is smooth and consistent without a pause.
Anybody seen this using Windows 11?
 
I have been running resolver for several weeks maybe a month but recently it has developed a pause running resolver using Microsoft's default web page. I do use DNSSEC with QUAD9. It was working faster when I first tested it.
I switched back to DNS forwarding and it is not as fast but is smooth and consistent without a pause.
Anybody seen this using Windows 11?

Not running windows 11, but I've seen similar behavior on Win10 and earlier - DNS cache can get stale, so sometimes it helps to clear it on the PC that is seeing the problem...

It's easy enough - just pop open a command shell and type

ipconfig /flushdns

That usually does the trick - esp these days where all the major providers are running their own CDN's...
 
Anybody running an L3 switch with pfsense? What do you think?

Surprised nobody responded here - I would say that anyone that is doing more than just basic routing is going to have some sort of managed switch in play...

When I was running pfSense, I used a Netgear GS-108T, which is layer 3 - not a fully featured as the Cisco L3 switches, but more than enough for my purposes...
 
Not running windows 11, but I've seen similar behavior on Win10 and earlier - DNS cache can get stale, so sometimes it helps to clear it on the PC that is seeing the problem...

It's easy enough - just pop open a command shell and type

ipconfig /flushdns

That usually does the trick - esp these days where all the major providers are running their own CDN's...
I have "Serve cache records even with TTL of 0" set which should refresh them in background using resolver.
 
180ms is due to dns encryption, but it is not that big to cause problems.
Also, since you use 9.9.9.9 as dns on laptop and still have the problem, it is not pfsense related.
So, I have been thinking about the 180ms encryption do you think it had anything to do with using a Broadcom NIC? I am now using an Intel NIC and I am not seeing the high delay? I am also using a 6 gen motherboard which is newer than the older motherboard. The clock rates are about the same on the CPU 3.2 vs 3.4.
 
So, a few weeks ago we had a power outage. My whole house went quiet. I was on my laptop doing what I do online, and it was still working. I just kept working online with no interruptions. So did my wife using her Apple Air. It is nice to have an APC backup solution. Ater 10 minutes or so the power came back on, and the house fired up with everything running. I have a large house with 3 wireless APs. My wife was in the back part of my house.

Our power company has been having issues since we have been over 106 degrees every day keeping up with power demand. They have asked to conserve so we have out thermostat set at 80 degrees. It is high yes, but it is a 26 degree difference with outside so it still feels cool. I use ceiling fans also when you are in the room.

I did notice my router is running 1 to 2 degrees higher in temperature with the thermostat set at 80.
 
Last edited:
I have also done some experimenting with DNS some time ago. I used THIS tool and could not find anything better than using Unbound with the below settings. All my clients have 192.168.1.1 as DNS server and i cannot recall that i had to use another setting for that in pfSense to enable the clients to pick this up when set to DHCP. The guideline is to leave the DNS settings in the DHCP service blank to ensure the below is applied.


I use unbound for locale dns queries. In unbound settings i switched on forward and tls mode.
1695486490946.png


Then you configure some TLS supported dns servers.
Make sure you alsof add de domain names of those dns servers
like so
1695486554010.png


After that all your dns traffic is TLS encrypted.
1695486863163.png
 
You most likely will. What hardware your pfSense firewall runs on? On a home network for routing between VLAN's I would rather increase the bandwidth between the firewall and the switch. Anything i5 2nd Gen and above can route multi-gigabit, if you have proper NIC's to transport the bits in and out.

I agree.

If you use a L3 switch you need access control lists (ALCs) with limited options to filter traffic.
For a small SOHO netwerk a router on a stick works well.

If you want to use several (v)LANs creating a multi port LAG between the router and the switch for inter vlan routing works great.

I use 2x 2.5 mbps nics (i225) in a LACP LAG to my switch.

1695487591398.png
 
Last edited:
I agree.

If you use a L3 switch you need access control lists (ALCs) with limited options to filter traffic.
For a small SOHO netwerk a router on a stick works well.

If you want to use several (v)LANs creating a multi port LAG between the router and the switch for inter vlan routing works great.

I use 2x 2.5 mbps nics (i225) in a LACP LAG to my switch.

View attachment 53235
That is the fun of running your own network. I am back to forwarding instead of resolver as I keep hitting slowdowns after a month or so. This has happened to me on 2 different Dell PCs and different NICs. I am not into using any port for DNS other than port 53 so TLS is out for me. And I won't use Cloudflare for anything.

I have no problem using ACLs on my layer3 Cisco switch. At least if I make a mistake I don't open up my firewall. Plus, the L3 switch is faster than using a separate router regardless of bandwidth. Just think out the traffic path for both.

PS
I will try resolver again after the new pfsense upgrade. Plus, I plan to add an IDS.
 
Last edited:
That is the fun of running your own network. I am back to forwarding instead of resolver as I keep hitting slowdowns after a month or so

That's still kind of weird... I acknowledge that you're observing this, and I'm not sure why you'd be seeing the slowdowns.

DNS Resolver = unbound
DNS Forwarder = dnsmasq

Both are pretty robust and stable - and you're not running TLS, so that's even more odd... To fix it, I suppose just reload the daemon (whichever is in use), and that should flush the caches..

Have you set up logging on the queries to see where the delays may be?

 
That's still kind of weird... I acknowledge that you're observing this, and I'm not sure why you'd be seeing the slowdowns.

DNS Resolver = unbound
DNS Forwarder = dnsmasq

Both are pretty robust and stable - and you're not running TLS, so that's even more odd... To fix it, I suppose just reload the daemon (whichever is in use), and that should flush the caches..

Have you set up logging on the queries to see where the delays may be?

I have no issue with DNS Forwarding. It just works. It is DNS Resolver that I see the slowdowns after a while. I only use QUAD9 for DNS. I am not interested in trying a different DNS. It sounds like work. I will turn on logging with the next release.
To fix the slowdowns with resolver I just switch to forwarding. A little slower but no pauses when it is acting up, so it is faster when I am seeing the issues.
 
It looks like pfsense plus is no longer free anymore. I just read it on reddit. You have to use CE otherwise pay $129. Can anybody confirm it?

I guess I have to be careful playing with my pfsense plus. I would have setup an SSD mirror if I would have known.
 
The pfSense website doesn't mention anything about this. It still states free for Non-commercial use. Commercial use is at 129 USD.
 
It looks like pfsense plus is no longer free anymore. I just read it on reddit. You have to use CE otherwise pay $129. Can anybody confirm it?
I'm afraid it is $400 per year, not $129.
In comparison, Mikrotik asks for $45 if you want the ISO image to install on your own hardware.
 
I'm afraid it is $400 per year, not $129.
In comparison, Mikrotik asks for $45 if you want the ISO image to install on your own hardware.
Yea, the only thing that changed is TAC support? I can live with that as I only use it at home and I get enough support on this site and the pfsense forums that I am good.

If I was a business, I would pay for support as I would not want down time plus I would buy pfsense hardware just to make sure I had good working hardware.
 
I looked again and there is no home and lab. If you click on the $0.0 Pfsense Plus you end up on a $399 screen.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top