This guide will show you how to configure a network with pfSense and a Layer 3 (L3) switch for inter-VLAN routing. Most other guides will you how to setup VLAN interfaces on pfSense for it to perform VLAN routing, but this guide will show you how to setup pfSense with static routing to your L3 switch for inter-VLAN routing.

Background

VLANs divide broadcast domains in a LAN environment, and whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as inter-VLAN routing.

VLAN routing with pfSense is performed in CPU, but L3 routing with a switch is line-rate because of the asic capability. Inter-VLAN routing performance is therefore much better with an L3 switch compared to pfSense.

Most other guides will show you how to configure VLAN interfaces on the pfSense device so it can perform the VLAN routing. For such networks, the client devices are configured to use the IP address of the pfSense VLAN interfaces as the gateway address, and trunk ports are configured to connect the pfSense device and the switch.

Here in this guide for inter-VLAN routing on the L3 switch, we will configure VLAN interfaces only the L3 switch and not on the pfSense device. We will also configure static routes in pfSense using the IP address of the L3 switch as the gateway for the routes, and access ports (not trunk ports) will be used to connect pfSense and the L3 switch.

All local traffic, including inter-VLAN traffic, will route only through the L3 switch. The L3 switch will send all other traffic, such as outbound internet traffic, to pfSense for routing. This means the L3 switch will internally route local traffic at wire speeds without needing to send the traffic to pfSense for it to route the traffic back to the switch.

Requirements

You will need an L3 switch with support for inter-VLAN routing, such as the TP-link Jetstream T26000 used in this guide.

You will also need pfSense already configured and running without any VLANs. If you have already configured VLANs for pfSense, you will need to remove the VLANs and the corresponding interfaces and gateways.

At this time, pfSense’s DHCP service does not allow you to create IP pools and DHCP ranges for any subnet that does not correspond to an interface on the pfSense device. DHCP services will therefore need to be provided by either the L3 switch or a separate DHCP server that is VLAN capable.

Next: Switch configuration

1 2 3