VLAN routing

[zzing123]

Hi,

I've been stumped for a while trying to set up inter-VLAN routing for my network to segment the different types of network, in order to boost its efficiency as per your article on Jumbo frames and flow control.

VLAN Setup
- DMZ: VLAN 10, already setup, switching my 2 WAN modems with the 2 firewalls.
- Internet: VLAN 20, 2x ALIX 2D3 with pfSense 1.2.3 (100mbit)
- Gbit: VLAN 30, contains 4x LACP trunks to devices (QNAP TS-439, a Win 2008 Server and 2 client PC's, all using Intel Dual Port PT adapters), and a Mac mini with 1x Gbit port
- 100mbit: VLAN 40, 1x printer, powerline to 1 other PC, Xbox 360
- Wifi: VLAN 50, various devices such as iPhones and 2 laptops, mixed 802.11g & n connectivity

Networking gear
Switch: Linksys SGE2000 24 port Gbit switch
Server: has 3x NICs: Intel Dual Port PT, Intel Single port MT, Broadcom Gbit onboard, only the Dual Port is being used currently, but ofc the other 2 can be master ports for the Wifi and 100mbit subnets)
Firewalls: 2x pfSense ALIX 2D3 with 1x spare 100mbit NIC on each, also provide VPN capabilities)

Other info
Ideally, I'd like all traffic routed between the VLAN's rather than just bridged, so Gbit traffic is always Jumbo framed and flow controlled, while noise from the higher bandwidth stuff doesn't interfere with the wifi etc, and reduce congestion in the various segments.

I'm using the 10.0.0.0/24 subnet on my network currently. While it's easier to just give each VLAN a 10.0.[VLANID].0/24 subnet, I only actually need to use 16 devices in any segment right now, so I can use smaller (/27, 30 hosts or /28, 16 hosts) subnets for each segment.

My server is a development server, so it gets rebooted often, so I would prefer to use the Firewalls for DHCP and the switch for routing, but I'm happy to use the Server if I have to and use the other 2 NICs in it to route between the subnets.

Now the question
I can setup the VLANs and generally all the Layer 2 stuff for each segment, but need help with the Layer 3 stuff:
- Is this a good plan or should I leave it as is?
- What IP addresses should I give each segment?
- What IP addresses should I give key equipment (Firewall, NAS, Server & Switch)
- How do I set up the switch to route traffic, or if using the server, how should I set that up (RRAS or static routes)?
- How do I ensure services on the VLAN 20 (Internet) are accessible from all VLANs bar VLAN 10 (DMZ)
- How do I ensure services on VLAN 30 (Gbit) are available to VLAN 20 (The firewalls are VPN servers as well), 40 & 50
- Where should I put the DHCP server (VLAN 20, with the firewalls or with the Server having a NIC on each segment)

 

[dreid]

Here's an outline for what you want. You may have to do some poking around on pfsense's website for configuration details, but pfsense will do everything I describe below.

I'd simplify your network and use just one ALIX 2D3 pfsense router/firewall and 3 VLANs. It appears the ALIX 2D3 has 3 interfaces which is more than enough.

Connect the two modems directly to interfaces on the ALIX 2D3 and define those interfaces as WAN interfaces. Pfsense supports load balancing so you can balance the traffic between those two interfaces as you wish.

Create three VLANs on your switch, VLANs 30, 40, and 50 and assign ports to those VLANs. Also, create a trunk port on the switch that is a member of VLANs 30, 40, and 50. Connect the trunk port on the switch to the remaining interface on the ALIX 2D3.

Next, create VLANs 30, 40, and 50 in pfsense and assign them to the remaining interface on on the ALIX 2D3. This will create 3 virtual interfaces. Give the 3 virtual interfaces static IP addresses. The virtual interface for VLAN 30 = 10.0.30.1/24, the virtual interface for VLAN 40 = 10.0.40.1/24 and the virtual interface for VLAN 50 = 10.0.50.1/24.

Next, enable a DHCP server on pfsense for each of the 3 virtual interfaces. Setup the DHCP server for the virtual interface with IP = 10.0.30.1 to issue IP addresses of 10.0.30.2-10.0.30.100. Setup the DHCP server for the virtual interface with IP = 10.0.40.1 to issue IP addresses of 10.0.40.2-10.0.40.100. Setup the DHCP server for the virtual interface with IP = 10.0.50.1 to issue IP addresses of 10.0.50.2-10.0.50.100.

Next, connect your devices to the switch ports as you listed: connect your Gbit devices to the switch ports assigned to VLAN 30, your printer and other devices to the switch ports assigned to VLAN 40, and your Wifi and various devices to the switch ports assigned to VLAN 50.

Your devices will get an IP address via DHCP or you can statically assign IP addresses to your devices as you wish. For devices in VLAN 30, you can assign IP addresses of 10.0.30.101 - 10.0.30.254. For devices in VLAN 40, you can assign IP addresses of 10.0.40.101 - 10.0.40.254. For devices in VLAN 50, you can assign IP addresses of 10.0.50.101 - 10.0.50.254. The gateway for devices in VLAN 30 is 10.0.30.1, for devices in VLAN 40 is 10.0.40.1 and for devices in VLAN 50 is 10.0.50.1.

At this point, your network is separated into 3 VLANs and load balancing Internet traffic over your two modems, with the pfsense DHCP servers assigning addresses in the correct subnets to your devices in each VLAN.

If everything is set up correctly, traffic will now route between all VLANs and to the Internet. Test before setting up firewall rules. Make sure traffic is routing out both Internet connections. Disconnect one WAN interface, see if you can surf. Then try the other. Make sure traffic is routing between all VLANs by pinging between devices.

To restrict traffic between the VLANs and to/from the Internet, you can create firewall rules in the pfsense firewall to filter traffic between subnets, hosts, or both. You can get even more specific with firewall rules and restrict traffic based on protocol and port as well.

Good luck!