Do I need pfSense?

[farscapesg1]

For the last couple years I've been running Untangle in a VM for all my routing needs. However, while doing some upgrades (new hosts and a real switch... Cisco 3750G) I realized I'm still running Untangle 9.4.2

I'm working on getting ready to upgrade to a new Untangle VM, but at the the same time, if there are some better features with pfSense that make sense to use, I've got the space and compute power in my virtual environment. Everything in Untangle that I use is from their "free" options since it is just for home use. Web Filter, OpenVPN, etc.

I am looking to start teaching myself some basic Cisco networking, so I do need something that can handle the routing between vlans, which if I remember correctly the older versions of Untangle stripped vlan tags off, but I'm not sure if that changed with the newer versions.

So, I guess the question is what will pfSense+Untangle give me that Untangle alone won't, for a home environment?

 

[dandragonrage]

This was kind of a poor answer; disregard.

 

[Cmustang87]

I'm confused on your need for the PFSense if you are looking for "basic Cisco networking". All of your VLAN and routing can happen with your 3750G switch. That's a layer 3 switch, so try to use it as such.

PFSense supports 802.1q for tagged interfaces. If you wanted to trunk your VLANs up to the PFSense, this is entirely possible. But, since you have a layer 3 switch, it's really not needed. You can just create layer 3 interfaces on the 3750G switch and create a new broadcast domain between your switch and PFSense and use the internal interface of the PFSense as the switch default gateway/route.

 

[farscapesg1]

Hmm... so the 3750G could handle all the routing by itself? I'm a complete Cisco noob.. which is part of the reason I got the switch to start expanding my knowledge.. and better options than my old Dell 2848 switch.

What I'm looking at is creating separate VLANs for Servers, workstations, iSCSI, and WAN at the minimum. Workstations and servers should be able to talk to each other, but iSCSI and WAN are each isolated (the Untangle VM connects the WAN link to the VLAN, which also has the cable modem connected). Since I'm running ESXi, I need a portchannel with all the VLANs trunked so I'm not running everything on separate physical NICs like I am now (1 for WAN, 1 for iSCSI, 2 for non-vlan devices which are all my current servers/workstations). Each VLAN would have a separate IP space, with a small DHCP scope.

If the switch can handle all of that.. then I'll just need to read up more on it I guess. For my home, I'm not really in need of any QOS features (basic Internet traffic and video streaming is all we really use).

 

[Cmustang87]

(1)Hmm... so the 3750G could handle all the routing by itself?

(2)What I'm looking at is creating separate VLANs for Servers, workstations, iSCSI, and WAN at the minimum. Workstations and servers should be able to talk to each other, but iSCSI and WAN are each isolated (the Untangle VM connects the WAN link to the VLAN, which also has the cable modem connected).

(3)Since I'm running ESXi, I need a portchannel with all the VLANs trunked so I'm not running everything on separate physical NICs like I am now (1 for WAN, 1 for iSCSI, 2 for non-vlan devices which are all my current servers/workstations).

(4)Each VLAN would have a separate IP space, with a small DHCP scope.

If the switch can handle all of that.. then I'll just need to read up more on it I guess. For my home, I'm not really in need of any QOS features (basic Internet traffic and video streaming is all we really use).

1. The 3750G switch is a layer 3 switch. Which means it operates at layer 3, and functionally operates as a router. You can configure an IP address on specific physical interfaces and use that as a layer 3 interface. This would be used as the default gateway for each of those VLANs. Conversely, you could configure multiple switch ports as VLAN access ports and create a VLAN interface and use that as the gateway. Regardless, the IP information on your workstation would not change, just the switch configuration. Remember, VLAN is a layer 2 concept which just break layer 2 broadcast domains (almost literally like breaking a switch into chunks). Each VLAN cannot implicitly communicate with another VLAN, as they are logically separated. VLAN interfaces are rudimentary layer 3 functions which are generally used for management on Layer 2 switches. This would mean that if the interface I'm connected to is configured as "switchport mode access VLAN 10" and VLAN 10 had an interface IP (these are logical interfaces), I could manage the switch on that IP as long as I'm connected to ports with access to VLAN10.

2. This will work just fine. The cable modem and PF sense would be connected on the same broadcast domain. You can do all of this on the switch as well.

3. EtherChannel is not required for dot1q (trunking or tagged) traffic. EtherChannel is configured for bonded interface for bandwidth and/or fault tolerance. If you trunked all VLANs up to the PFsense, you would need to create tagged interfaces on the PFsense so it can understand the 802.1q tag on the packets. These will be logical interfaces attached to a physical interface.

4. DHCP is supported on the 3750 as well. If you wanted to configure DHCP helpers (DHCP relay) you could do that as well, as long as the PFSense supports DHCP servers on VLAN interfaces.

 

[farscapesg1]

Thanks for the info.. I must still be doing something wrong, and my network engineer coworker keeps telling me that routing between vlans isn't possible on it because it only has the LAN Base IOS license.. which I'm not sure is accurate or not.

I've got the VLANs created with DHCP scopes configured and tested that devices connected pull the dhcp address for that VLAN. I've got a couple ports configured for trunking and tested that the etherchannel is working for VMWare by creating a couple port groups (VLAN 3 and VLAN 15), assigning a test system to each VLAN port group in VMWare and they pull DHCP addresses from the switch. Unfortunately, whether a VM or a physical device, if they are in the same VLAN they can communicate, but they still can't communicate to devices in other VLANs, and more importantly they can't communicate with the router/gateway.

Of course, most the examples (both text and video) on the net are multiple switches and I'm just trying to do this on a single switch...