Cisco C3650X inter-vlans with pfSense and internet access
Posted: Sun Oct 05, 2025 3:08 pm
Topology:
Physical server 1: pfsense (192.168.1.1 (internet)) - vlan1 (c3650x port 47 trunk)
Physical server 2: debian lxc1 (192.168.1.120) - vlan1 (proxmox bridge 0, c3650x any port)
Physical server 2: debian lxc2 (192.168.10.10) - vlan10 (proxmox bridge 1, c3650x port 2)
Physical server 2: debian lxc3 (192.168.20.20) - vlan20 (proxmox bridge 2, c3650x port 13)
All of these containers can ping each other, the internet and upgrade packages.
c3650 configuration
configure pfsense trunk:
create vlans:
create svi:
configure access ports:
enable ip routing:
internet route:
pfsense configuration
create vlans:
configure vlans
note the subnet is 24 NOT 32
configure firewall
configure lxc vlan10
configure lxc vlan20
Physical server 1: pfsense (192.168.1.1 (internet)) - vlan1 (c3650x port 47 trunk)
Physical server 2: debian lxc1 (192.168.1.120) - vlan1 (proxmox bridge 0, c3650x any port)
Physical server 2: debian lxc2 (192.168.10.10) - vlan10 (proxmox bridge 1, c3650x port 2)
Physical server 2: debian lxc3 (192.168.20.20) - vlan20 (proxmox bridge 2, c3650x port 13)
All of these containers can ping each other, the internet and upgrade packages.
c3650 configuration
configure pfsense trunk:
Code: Select all
enable
conf t
interface Gigabitethernet 1/0/47
switchport mode trunk
switchport trunk allowed vlan 1,10,20Code: Select all
enable
conf t
vlan 10
name vlan10
vlan 20
name vlan20
endCode: Select all
interface vlan 10
ip add 192.168.10.1 255.255.255.0
no shutdown
exit
interface vlan 20
ip add 192.168.20.1
no shutdown
exitCode: Select all
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 10
exit
interface GigabitEthernet1/0/13
switchport mode access
switchport access vlan 20
exitCode: Select all
ip routingCode: Select all
ip route add 0.0.0.0 0.0.0.0 192.168.1.1Code: Select all
3650x_server>show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.8/32 is directly connected, Vlan1
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan10
L 192.168.10.1/32 is directly connected, Vlan10
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, Vlan20
L 192.168.20.1/32 is directly connected, Vlan20create vlans:
Code: Select all
interface > vlans > create vlan 10
parent interface LAN
vlan tag 10
interface > vlans > create vlan 20
parent interface LAN
vlan tag 20note the subnet is 24 NOT 32
Code: Select all
interfaces > vlan10 > enable
Description: VLAN10
IPv4 Configuration Type: IPV4
IPv4 Address: 192.168.10.2/24
interfaces > vlan20 > enable
Description: VLAN10
IPv4 Configuration Type: IPV4
IPv4 Address: 192.168.20.2/24Code: Select all
firewall > rules vlan10
add rule
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: UDP
Source: VLAN10 Subnets
Destination This Firewall (Self)
Port Range: 53 (DNS)
add rule
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: TCP
Source: VLAN10 Subnets
Destination Any
Port Range: 80 (HTTP)
add rule
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: ICMP (any)
Source: VLAN10 Subnets
Destination Any
Code: Select all
firewall > rules vlan20
add rule
Action: Pass
Interface: VLAN20
Address Family: IPv4
Protocol: UDP
Source: VLAN20 Subnets
Destination This Firewall (Self)
Port Range: 53 (DNS)
add rule
Action: Pass
Interface: VLAN20
Address Family: IPv4
Protocol: TCP
Source: VLAN20 Subnets
Destination Any
Port Range: 80 (HTTP)
add rule
Action: Pass
Interface: VLAN20
Address Family: IPv4
Protocol: ICMP (any)
Source: VLAN20 Subnets
Destination Any
Code: Select all
root@vlan10:/# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.10/24
gateway 192.168.10.2
nameserver 192.168.10.2Code: Select all
root@vlan20:/# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.20.20/24
gateway 192.168.20.2
nameserver 192.168.20.2