I feel the very first thing it’s essential outline is your required design.
The hyperlink within the unique query describes a migration from a design the place the PFSense firewall has the obligation of each routing between inside and exterior networks, in addition to entry management between them to a design the place the firewall now not has the obligation of routing site visitors between the inner networks and solely passes site visitors between its LAN and WAN networks and therefor solely controls entry between LAN and WAN networks and vice versa. Site visitors between the VLANs on the LAN or Inner networks will probably be uncontrolled or, at finest, managed by the layer 3 change which would be the new gateway for the varied inside networks (VLANs on this case).
If that’s the desired design (the firewall loses management and routing duties for site visitors between the inner networks) then by all means, plow forward.
For those who want to maintain management of site visitors between networks, equivalent to when you’ve got a few visitor or low safety networks and a few extra non-public or delicate networks you need to maintain separate from the others, you then need to maintain the routing duties and entry management on the firewall and you’ll need to spec the firewall so it may deal with these duties. Principally it will likely be setup with this fundamental configuration:
https://www.wundertech.web/how-to-setup-vlans-in-pfsense/
And the change will both have a trunk hyperlink (802.1Q encapsulated hyperlink carrying frames tagged for a number of VLANs) to the firewall or you might have a number of particular person hyperlinks from the change to the firewall, one every for every VLAN you need to join by the firewall.
If you would like the layer 3 change to behave as gateway as an alternative of the firewall, and also you need to take away the entry management between the inner networks, then the overall finest design for that’s to have a small transit community between the firewall and the layer 3 change (a /29 community of IPv4 addresses, for instance) and static route configuration on the firewall so the firewall is aware of how the IP handle blocks in use on the inner networks are reachable.
Say you will have 10.10.0.0/20 damaged up in /24 networks in your inside networks (each a VLAN). You can use 172.20.30.0/29 for the transit community between the firewall and the layer 3 change.
Merely configure the firewall so it has an interface on its LAN zone or no matter you name it with IP handle 172.20.30.1/29 and configure a port on the layer 3 change (or an SVI should you choose and an accompanying VLAN with a port set to entry mode for that VLAN) and join a cable from that port to the firewall on the chosen port. Configure the suitable port/interface on the change to make use of IP handle 172.20.30.2/29 and also you now have a community between them. Configure the change for ‘ip routing’ and provides the change a default route ‘ip route 0.0.0.0 0.0.0.0 172.20.30.1’ and your change now is aware of to ship site visitors for any community that isn’t instantly related to its interfaces to the firewall.
Ensure that the firewall has NAT guidelines and outbound entry guidelines to permit 10.10.0.0/20 to have NAT utilized and permit outbound entry to the web.
Ensure that the firewall has a static route entry for 10.10.0.0/20 to be routed to 172.20.30.2
Configure the remaining VLAN configuration you need on the layer 3 change so you will have an SVI for every VLAN (‘interface vlan 10’, ‘ip handle 10.10.0.1 255.255.255.0’, ‘no shut’ and many others.) and assign the specified VLAN to the specified change ports for entry mode or no matter is required to get the connectivity you need.
Assign your person gadgets with IP addresses for the suitable networks to match the VLAN they’re related to (10.10.0.10/24 with gateway 10.10.0.1 and many others.) and they need to have connectivity to the web. If not, begin troubleshooting to verify they will ping their gateway (the layer 3 change), and the gateway of that gateway (the firewall at 172.20.30.1 or 172.20.30.2 and many others.) and so forth.