@Georg Pauwen here you go.

I will edit my original post, one thing I forgot to mention was which port on the cisco is connected to pfsense. After looking at the config, I think the problem is related to that. Port 48 is on VLAN 1 connecting to pfsense.

I removed parts of the config that I didn't think were needed, for example, username, crypto related text (to save space) and interfaces that I'm not using.

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname switch1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip routing
ip dhcp excluded-address 10.1.100.1
ip dhcp excluded-address 10.1.100.1 10.1.100.99
ip dhcp excluded-address 10.1.100.126 10.1.100.254
!
ip dhcp pool vlan-100
import all
network 10.1.100.0 255.255.255.0
domain-name vlan100.local
default-router 10.1.100.1
dns-server 10.1.100.1
!
!
ip domain-name lan.local
ip name-server 8.8.8.8
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/36
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/48
!
interface Vlan1
ip address 10.25.25.254 255.255.255.0
!
interface Vlan100
ip address 10.1.100.1 255.255.255.0
!
interface Vlan200
ip address 10.2.200.1 255.255.255.0
!
ip default-gateway 10.25.25.1
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.25.25.1
!
!
!
line con 0
login local
line vty 0 4
exec-timeout 60 0
login local
transport input ssh
line vty 5 15
login
transport input ssh
!
end

switch1#

Thanks.

Hello

Your switch config looks okay, a few minor adjustments but it shouldn't be negating the connectivity i would say at this time it sounds possibly the pfensce rtr is the root cause for your connectivity issue,

Switch

ip dhcp pool vlan-100
import all <- not required
ip name-server 8.8.8.8 <- not required
ip default-gateway 10.25.25.1 <- not required

no ip route 0.0.0.0 0.0.0.0 10.25.25.1

ip route 0.0.0.0 0.0.0.0 vlan 1 10.25.25.1

vlan 100,200
exit

interface GigabitEthernet1/0/48
switchport mode access
spanning-tree portfast

Can you confirm you have static routes on the prfense rtr for the vlans 100,200 similar to these below also have you accommodated  your nat ruling for these subnets?
ip route 10.1.100.0 255.255.255.0 10.1.25.25.254
ip route 10.2.200.0 255.255.255.0 10.1.25.25.254

Thank @paul driver 

Can you expand on why the DHCP values are not required? I don't typically run DHCP on switches/routers, I usually have a windows server handling that (on a corporate network). This setup is in my home for practice purposes. I also made sure to keep in on its own interface on pfsense to not cause connectivity issues on the regular network. With that being said, I had to configure DHCP on the cisco switch and I always provide a DNS server and gateway to network devices. ---EDIT--- I didn't look closley at the config, those values (DNS and gateway) were not part of the DHCP scope, that was my mistake when I initially read the comment. I understand why they are not required, now. ---EDIT---

I do understand your ip route change. Since VLAN 1 is what I have interfacing to the pfsense router, I believe your change makes more sense than what I have.

I don't use cisco equipment at work (or pfsense) which is why this is a bit new to me. Let me make those changes and I'll post back.

Also, see the link below for the static route on the pfsense router. I don't have one for VLAN 200, yet, since I'm only working with VLAN 100, for now.

https://i.imgur.com/Pb4Wpvl.png

One thing that I thought about after I posted my config....VLAN 1 should be dedicated to the link going to pfsense, meaning, I shouldn't use VLAN 1 for anything else on the cisco switch. With that being said, I realize VLAN 1 should not be used, if possible, but since this is a 'lab' in my home, I jumped right in and started working with VLAN 1.

Thanks.

Hello

The that static route on the pfsence rtr looks fine, also I would stick with vlan 1 as your primary connection between the switch and the pfsence for now until you obtain the connectivity you desire.

As for the dhcp you dont require import all in the dhcp scope as your not using dhcp from the pfsence to the switch so the scope on the switch has nothing to import.

Also you dont need to run a dns service on the switch either, the clients will use their defined server in the dhcp scope, so you can if you wish amend that to point to a public dns such as google.

Do you have a nat rule for vlan 100 on the pfsence?

I have DNS defined on the switch to confirm connectivity to the internet, from the switch CLI, but I could just ping 8.8.8.8 instead of google.com, however, I see what you are getting at.

I do not have a NAT rule for VLAN 100 on pfsense, I didn't think that was needed. If it is, I'll add that on the pfsense side.

Hello

Yes it will be needed, NAT will be required for any lan subnet you wish to connect to the internet and as the switch doesn't support nat then that pfsence rtr needs to perform it

Ok, I will add the NAT. I assumed once the switch traffic had a route to get to the pfsense, the route accepting the traffic from the switch would be the only network needed for NAT, in this case, the 10.25.25.0 /24 network, which a NAT does exist for. Still learning, thank you.

Since I was only trying to get Local LANs working, I was trying to solve that problem, first. Internet connectivity troubleshooting, to follow. Thanks, I will update when I'm able to make these changes.

edited-ignore, I made a mistake. will delete the post, if I can.

---

@Georg Pauwen wrote:

Hello,

 

for the sake of testing, try and disable the Pfsense firewall completely, in order to rule out that your firewall rules are causing this issue...

---

I don't want to completely disable the firewall, but I'll try a packet capture (from within pfsense) to see if the packets from the cisco switch are hitting the pfsense firewall and being blocked.

@paul driver I was able to remove 'ip route 0.0.0.0 0.0.0.0 10.25.25.1' and added 'ip route 0.0.0.0 0.0.0.0 vlan 1 10.25.25.1' but I'm still not able to ping from a laptop on vlan 100 (behind cisco switch) to 10.25.25.1 (pfsense interface). I am still able to ping 10.1.100.1 (vlan 100 gw) and 10.25.25.254 (cisco switch).

Thanks.

Edit- Some good news. The laptop 10.1.100.100 is pinging 192.168.33.1 and 10.25.25.1 and not getting replies, but the packets are making it to the pfsense router/firewall. The rules on pfsense are allow any/any for LAN to LAN2 and allow any/any for LAN2 to LAN, but something else must be blocking the ping reply to the laptop. Here is what the pfsense router/firewall sees...

16:12:38.489106 IP 10.1.100.100 > 192.168.33.1: ICMP echo request, id 16078, seq 0, length 64
16:12:39.494312 IP 10.1.100.100 > 192.168.33.1: ICMP echo request, id 16078, seq 1, length 64
16:12:40.499107 IP 10.1.100.100 > 192.168.33.1: ICMP echo request, id 16078, seq 2, length 64
16:12:41.502809 IP 10.1.100.100 > 192.168.33.1: ICMP echo request, id 16078, seq 3, length 64
16:12:58.329137 IP 10.1.100.100 > 10.25.25.1: ICMP echo request, id 32718, seq 0, length 64
16:12:59.334369 IP 10.1.100.100 > 10.25.25.1: ICMP echo request, id 32718, seq 1, length 64
16:13:00.338579 IP 10.1.100.100 > 10.25.25.1: ICMP echo request, id 32718, seq 2, length 64
16:13:01.343736 IP 10.1.100.100 > 10.25.25.1: ICMP echo request, id 32718, seq 3, length 64

I think that's a good sign.

Edit 2- I am now able to ping 10.25.25.1 from the laptop connected to VLAN 100 on the cisco switch. The pfsense firewalls needed to be tweaked just a bit. While I did have allow LAN to any, and any to LAN, the routed VLAN 100 on the cisco switch doesn't seem to fall under the category of any. I made a specific firewall rule for the subnet 10.1.100.0 /24 and allowed that. Once I did that, pings started to reply from the laptop connected to the cisco switch.

Now I am working on replicating the same firewall rule for the 192.168.33.0 LAN. Assuming I get that working, I'm going to work on the NAT rule on the pfsense side for the 10.1.100.0 /24 network (VLAN 100 on the cisco switch).

Note- ip route 0.0.0.0 0.0.0.0 10.25.25.1 and ip route 0.0.0.0 0.0.0.0 vlan 1 10.25.25.1 both work. I tried them individually and so far have seen the same results.

Hello

That more specific default route on the switch just cuts down on any possible recursive routeing and unnecessary arp queries

icmp would no doubt be disabled on the Fw so not really worried about a successful ping to/from FW so that tweaked you made no doubt worked to fix the ping

So as your are now able to ping from the host to its DG residing in the switch and vlan 1 DG then the switch configuration is fine

Have you tried accessing the internet from the host in vlan 100, Also from the router do you have internet connectivity- 

---

@paul driver wrote:

Hello

That more specific default route on the switch just cuts down on any possible recursive router and unnecessary arp queries

 

icmp would no doubt be disabled on the Fw so not really worried about a successful ping to/from FW so that tweaked more doubt worked to fix the ping

However as your are able to ping from the host to its DG residing in the switch and vlan 1 DG then the switch configuration is fine

Have you tried accessing the internet from the host in vlan 100

 

Also from the router do you have internet connectivity- 

---

Yes, I am able to ping everything now. I can ping from the laptop on VLAN 100 to the DG and to 8.8.8.8. It appears other than a few minor changes in the switch config, which you stated shouldn't have prevented me from having connectivity issues, the problem was simply that pfsense firewall was blocking traffic from VLAN 100 since it didn't have a specific rule for the traffic.

Thanks for your help.

Also, thanks to @Georg Pauwen