Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    can't ping a switch connected to TNSR

    TNSR Feedback
    2
    5
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      network-admin
      last edited by network-admin

      Hi guys,

      I can't break a basic thing like a two-way ping between a server with TNSR and an L3 switch.

      Switch:

      1. set VLAN 777, set IP 172.16.7.254/24 on VLAN interface 777

      2. I set the port leading to the TNSR server to the trunk and enable VLAN 777

      TNSR:

      1. I will set the sub interface S2_WAN1 777 according to the documentation:
        https://docs.netgate.com/tnsr/en/latest/interfaces/types-vlan.html

      2. I will add the IP address 172.16.7.102/24 to the S2_WAN1.777 interface

      Now, based on experience with other network devices, I should be able to ping the other party from the switch and vice versa, but it doesn't work.

      In the switch, I see the MAC address of the other party in VLAN 777, ie TNSR.

      If I ping from the switch to TNSR then there is no answer.
      If I run tcpdump on TNSR according to the documentation: https://docs.netgate.com/tnsr/en/latest/troubleshooting/capture.html then I only see incoming ARP requests who has IP 172.16.7.102? TNSR no longer responds to the ARP protocol.

      Did I forget something in TNSR? According to the documentation, no ACLs are enabled by default and traffic should flow.

      I tried the same procedure on an ordinary port of the ACCESS mode switch in a configuration without tagged VLAN, on TNSR I removed the sub interface (with problems that I describe in another thread https://forum.netgate.com/topic/169908/problem-with-remove-vlan-interface) but with the same result.

      Please help.

      Thank you

      N.A.

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @network-admin
        last edited by

        @network-admin Really hard to tell with the information provided.

        What is the output of:

        show config run cli

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        N 1 Reply Last reply Reply Quote 0
        • N
          network-admin @Derelict
          last edited by network-admin

          @derelict

          Hi, yes I apologize, I gave the statement in the referenced post, but it should also be here, I attach below:

          TNSR(172.16.7.102):

          localhost tnsr# show config run cli
nacm enable
nacm read-default deny
nacm write-default deny
nacm exec-default deny
nacm group admin
    member root
    member tnsr
exit
nacm rule-list admin-rules
    group admin
    rule permit-all
        module *
        access-operations "*"
        action permit
    exit
exit

dataplane ethernet default-mtu 1500
dataplane dpdk dev 0000:02:00.1 network
dataplane dpdk dev 0000:02:00.2 network
dataplane dpdk dev 0000:02:00.3 network
dataplane dpdk dev 0000:05:00.0 network name S2_WAN_1
dataplane dpdk dev 0000:05:00.1 network name S2_LAN_1
dataplane dpdk dev 0000:08:00.0 network name S2_WAN_2
dataplane dpdk dev 0000:08:00.1 network name S2_LAN_2
dataplane dpdk uio-driver igb_uio
dataplane buffers buffers-per-numa 32768
dataplane statseg heap-size 96M


nat global-options nat44 enabled false

interface subif S2_WAN_1 777
    exact-match
    outer-dot1q 777
exit

interface S2_LAN_1
    enable
exit
interface S2_LAN_2
    enable
exit
interface S2_WAN_1
    enable
exit
interface S2_WAN_1.777
    enable
    ip address 172.16.7.102/24
exit
interface S2_WAN_2
    enable
exit

nat ipfix logging domain 1
nat ipfix logging src-port 4739
nat nat64 map parameters
    security-check enable
exit

interface S2_LAN_1
exit
interface S2_LAN_2
exit
interface S2_WAN_1
exit
interface S2_WAN_1.777
exit
interface S2_WAN_2
exit

route dynamic manager
exit

route dynamic ospf6
exit

route dynamic bgp
    disable
exit

route dynamic ospf
exit

route dynamic rip
exit

dhcp4 server
    lease persist true
    lease lfc-interval 3600
    interface socket raw
exit

unbound server
    enable ip4
    enable tcp
    enable udp
    enable harden glue
    enable hide identity
    port outgoing range 4096
exit

snmp host disable

          3COM switch cfg (172.16.7.254):

          #
vlan 777
 description VLAN_WANS
#
interface Vlan-interface777
 ip address 172.16.7.254 255.255.255.0
#
interface Bridge-Aggregation2
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 777
#
interface Ten-GigabitEthernet2/1/1
 port link-mode bridge
 description SERVER2_WAN
 port link-type trunk
 undo port trunk permit vlan 1
 port trunk permit vlan 777
 port link-aggregation group 2
#

          and output command "display mac-address vlan 777, where 40a6-b73c-f1d8 is MAC addr TNSR NIC":

          MAC ADDR       VLAN ID  STATE          PORT INDEX               AGING TIME(s)
40a6-b73c-f1d8 777      Learned        Bridge-Aggregation2      AGING

  ---  1 mac address(es) found  ---

          and output command "display arp, where 40a6-b73c-f1d8 is MAC addr TNSR NIC and IP 172.16.7.102 also belongs to TNSR, so ARP partially works, but ping does not":

                Type: S-Static    D-Dynamic    O-Openflow
IP Address       MAC Address     VLAN ID  Interface              Aging Type
172.16.7.102     40a6-b73c-f1d8  777      BAGG2                  20    D
          1 Reply Last reply Reply Quote 0
          • N
            network-admin
            last edited by

            So solved :-) I thought it would be related to the fact that the port is in line aggregation on the L3 switch. I removed the port from the line aggregation and now the ping works and everything behaves as expected.

            Sorry for the confusion, the error is probably in the line aggregation configuration.

            Thank you!

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @network-admin
              last edited by

              @network-admin link aggregation always needs to be configured on both sides of a link. Glad you got it sorted out.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.