Cant ping vlan on pf sense from any device?
-
@travelmore well something is wrong.. You should be able to ping pfsense own IP address.. Not sure how its going to work if it can not even talk to itself..
I would disable and re-enable the network interface..
What does your routing table look like? Here are my two tagged vlans in the route table, and me pinging them.
-
@johnpoz well, i disabled the interface and pinged it (just for measure) and got the results below.
THEN I enabled the interface as you suggested. Tried pinging it again and got this
then after seeing that progress, i went to my cisco switch and tried to ping, no luck.
then i tried to ping from my pihole that is physically connected to port 2 on my netgear switch (only on vlan1) and i could ping the 20.1 IP, see below.
here is the routing table, to note, there is nothing past the IPV6 Routes table.
Since we are making progress it seems by just disabling and renableing that interface, what are the next steps to get this to the end goal of vlan20 on my wireless AP?
Again, thank you so much for all your help.
-
@travelmore well I already went over why your switch might not be able to ping it. What is the route table look like on your switch.
So do clients that connect to your ssid on vlan 20, get an IP? When you created that new ssid and assigned it to your smart bulbs network, I saw that you created a smart bulbs network vlan only, I assume you set the vlan ID to 20.
But I don't see where you stated what port you connected your AP to your 2960, nor do I see any ports on the 2960 that you posted that are tagged for vlan 20 going to your AP. Nor any ports on vlan 20 that are the uplink through your dumb switch back to your netgear switch, etc.
pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP -
@johnpoz so literally on port8 on my netgear switch is the AP that my smart bulb vlan is plugged into. yes, i did set the vlan on the unifi to vlan20. I do not have anything on this smart vlan except for the smart bulbs if i can ever get them connected. on my phone i tried connecting my phone to the smart bulb wifi and it said failed to obtain IP address. and here is a pic below.
-
@travelmore said in Cant ping vlan on pf sense from any device?:
I still have to ask, are you sure you're actually applying any settings you make??
That image still shows the "apply changes" button and it shouldn't. -
@jarhead yes i dont know why it said that but it did.
here is a pic of pf sense pinging 20.1 IP
and here is that interface settings page w/no message at the top
-
@travelmore Yes, but that's after John had you bounce the interface. There's no way that "apply" button would be there if you clicked it. This would also explain why the interface had the "N/A" instead of an IP address.
-
@travelmore said in Cant ping vlan on pf sense from any device?:
literally on port8 on my netgear switch is the AP that my smart bulb vlan is plugged into
That is not how you have it draw at all - you show all your AP plugged into your cisco.
You show untagged vlan 20 on port 8 of your cisco, but how exactly does vlan 20 get there? You have no other ports in vlan 20..
If this netgear, and pvid on ports 4 and 8 are 1 then this is correct. if pfsense re0 is plugged in to port 4 and your AP is plugged into port 8
I am with @Jarhead as well, when you make a change to any gui page you have to hit save/apply etc..
A client connecting to your ssid for your smartbulbs should get vlan 20 address. Devices connecting to your other ssid without any vlan on it should be on your lan network.
Testing that vlan 20 is working, put a port on your netgear in vlan 20, untaggged, with pvid set to to 20. Plug in your laptop and it should get an IP on your vlan 20 network. And make sure you remove vlan 1 from this port.
-
@johnpoz and @Jarhead I checked. I think after we disabled and re-enabled that interface that fixed that issue because I see this now.
my apologies, i must have typo'd when i stated "literally on port8 on my netgear switch is the AP that my smart bulb vlan is plugged into", that was an incorrect statement, i meant literally on port 8 on my Cisco switch is the AP that has the smart bulbs wifi setup and on vlan 20.
on my netgear switch port 8 is only vlan20 so i could plug a PC in for testing purposes if needed.
i have tried again to connect my cell phone to the Smartbulbs ssid and it fails.
-
@travelmore said in Cant ping vlan on pf sense from any device?:
on port 8 on my Cisco switch is the AP that has the smart bulbs wifi setup and on vlan 20.
Well how exactly is vlan 20 going to get to that switch from pfsense.. If you only have 1 port in vlan 20?
See my little ascii drawing from before.
pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- AP -
@johnpoz I did not understand that drawing. but after looking at it again, i believe i have to set port 1 which connects my cisco switch to my dumb switch to be on vlan20 as tagged. then it should all work, right?
If that is correct. this is what i have done below
tried again to connect my phone to the smart bulbs ssid and no luck.
when i did make the change for the cisco switch i had to do that via concole cable because while i was trying it i lost connection and couldnt get back in, so i console-cabled in and grabbed that screenshot of the settings. after making those changes i am not able to remotely connect to my cisco switch via putty and i get network error: connection timed out but i am able to console cable in.
that being said, while consoled into my cisco switch, i cannot ping out at all.
i am not sure how to fix being able to remote into the cisco switch/ping from it now.
what i type in was:
conf t
then, interface f0/1
then switchport mode access
then switchport access vlan 20
then no shut
then exit
then ctrl z
then writethen i could'nt connect to cisco remotely (so i consoled in to get the screen shot above) and now i still cant connect remotely to my cisco switch.
Gosh, I am not sure what in the world happened from the settings i changed on my cisco switch as shown above.
i feel like im somewhat so close to getting this all figured out.now my cell phone is trying to connect to my normal network and says 'ready to connect when network quaility improves'.
what is next? what do i need to do?
thank you again for all your help. -
@travelmore As I showed vlan 1 untagged, this your lan.. And vlan 20 Taggged (1U, 20T).. In cisco lan this a trunk port. Not a access port..
If you do not understand what tag or untagged vlan is - your going to have a really hard time working with vlans..
sg300-10#sho vlan Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN, V-Voice VLAN Vlan Name Tagged Ports UnTagged Ports Created by ---- ----------------- ------------------ ------------------ ---------------- 1 1 V 2 Wlan gi9 gi8 S 3 DMZ gi2,gi9 gi7 S 4 W_PSK gi8-9 S 6 W_Guest gi8-9 S 7 W_Roku gi8-9 gi2,gi6 S 9 9 gi1,gi3-5,gi9-10, D Po1-8 10 disabled S sg300-10#sho run int gi9 interface gigabitethernet9 description "Uplink sg300-28" switchport trunk allowed vlan add 2-4,6-7 ! sg300-10#sho run int gi8 interface gigabitethernet8 flowcontrol on description "UAP-AC-Lite (Kitchen)" switchport trunk allowed vlan add 4,6-7 switchport trunk native vlan 2 ! sg300-10#On port 8 I have native vlan 2 set because this is the vlan my AP are on for management which is untagged. I talk to the switches on vlan 9. You see that is untagged on port 9 which is port that connects to my upstream switch sg300-28, that is connected to my pfsense.
If you put the port that connects through the dumb switch to your netgear only on vlan 20, how would you talk to the switch via default vlan 1 which is your lan network..
-
@johnpoz After what you mentioned about trunk port instead of access. I made the following changes below. please see the cmds typed in the screenshot. hopefully, that is correct.
on my cisco switch, port 8 is the AP that is plugged in. on port 1 is the cable that connects from my cisco switch to my dumb switch.
here are some more settings of my cisco switch currently
yes I agree i have more reading / learning to do w/tagged & untagged.what do i need to fix or is that correct?
my normal ssid wireless is acting weird after making those changes, not allowing things to connect etc. so i am not sure if adding the vlan to the cisco switch made it worse or not.
I went to check my APs and it seems like something is off. see the screenshots below. I am not sure what needs to be fixed.
-
@travelmore where is 192.168.0 ??
I thought your lan was 192.168.1/24
Why would your AP be on a 192.168.0 network?
From your cisco - you have 20 trunk only on port 8, how does vlan get to this switch from your pfsense??? What are you not understanding about this?
pfsense - 1U,20T -- netgear -- 1U,20T -- dumbswitch -- 1U,20T - cisco -- 1U,20T -- APYour lan is native and untagged.. 192.168.1.x this would be the default vlan on your switch.. You then tag vlan 20 on same lan interface re0.. So your switch that connects to pfsense lan interface would need to be vlan 1 untagged. Vlan 20 tagged.
Now as you pass this traffic to your cisco.. Again vlan 1 untagged and tagged vlan 20.. Your dumb switch is stupid he doesn't know anything about tags, but you still have to tag the traffic as it gets sent to your dumb switch.. Then as it enters the cisco, the cisco needs to know that untagged traffic is vlan 1, and that tagged traffic on 20 goes where, etc..
So on the port your AP connected to vlan 1 would be untagged, and vlan 20 would be tagged.
Just at a loss to where/why your AP are on this 192.168.0 network?? Yeah that isn't going to work..
-
@johnpoz Okay good catch. that is weird i scrolled up and looked at the pics and they do show
the 192.168.1 address. i didn't change anything in those settings the only thing i did was change those commands on the cisco switch.
how does something like that even change? -
@travelmore did you manually set IPs on our AP.. If not then they get their IP via dhcp.. So what dhcp server on vlan 1 do you have handing out a 192.168.0.x address??
-
@johnpoz thats the thing, i didnt' mess w/the APs at all. the only thing i did after we figured out that disabling and re-enabling that vlan20 on the pf sense fixed it our issue and i could then poing the 20.1 vlan, then i changed the settings on the cisco and ever since then i cant remote into the cisco switch and stuff w/the APs started acting wonky.
so to answer your question what DHCP server on vlan 1 do i have handing out 192.168.0.x address. I don't, everything comes from PF sense and from what I can tell there isn't anything in a 168.1 address.
i looked in my routes on pf sense and i don't even see a 168.1.
So i used IP scanner and I found this:
i didn't plug any new device in today. and i checked my netgear switch is still good. i have no clue where that device is or how it even got plugged in because no one plugged anything like that in. but that device in the pic even shows its like not on. I pulled the power on my cisco switch. maybe that will help once it reboots.
in unifi, on networks, there was a setting that said global switch settings, and DHCP snooping was enabled. I unchecked that box. maybe that was it.
-
@travelmore Again, the problem with vlan20 was that you never applied the changes you made. You can't just click save and think you're done, you have to then click "apply changes" to actually apply them. Bouncing the port is what actually applied the changes.
You have a netgear router running dd-wrt somewhere on your network. Probably using it as an AP only but the dhcp server on it is enabled.
Find that mac address. Do a sh mac add on the cisco and see what port it shows up on.
If that doesn't work, disconnect things until the dhcp server stops giving out addresses and locate from there. -
@jarhead hey I will but I just tried plugging into my Netgear switch and I can't even connect to it. I am on my phone on mobile typing this out. I unplugged said device but still nothing.
I am at loss. When I did the Cisco commands on the switch as shown above I did write to save the changes so I don't know what happened.The only thing plugged in and on is my pihole, modem, pfsense PC, switches and APs that went rogue.
I can get into my pihole via directly and see it's still live and not handing out dhcp.
I can ping my pf sense box from there.
I rebooted pf sense and it's fine I can still ping it from my pihole. My pihole can ping my pfsense ip and the pf sense vlan20 up, just fine.
Now I am not sure what to type in the switch that needs to be looked at or done.
There is no rogue device on my network but I did see a frontier said pop up last night that I'm wondering if it is interfering (doubtful but one can hope).
I rebooted the switch lastnight.
What commands should I even type in the Cisco switch at this point?I can't connect to wireless devices or plug into my Netgear switch and connect to anything, just shows connected then says no internet.
I can connect to my Netgear via ip when plugged into the switch but it doesn't show that I have a hardwired connection.
Edit: I just called the isp and there is an outage in my area and they said it started late last night and don't know when it will be fixed or what caused it.
-
@travelmore said in Cant ping vlan on pf sense from any device?:
shown above I did write to save the changes so I don't know what happened.
A command on a switch is instant, now if you rebooted the switch before you wrote those to mem, then it would load its previous saved config.
To your netgear config.. You show you had its port 8 tagged on 20.. Any device connected to that port would have to be set to understand the tag.
What did you have the pvid set on port 8 of your netgear? if 20 then untagged traffic entering the port would be vlan 20. But traffic leaving the port towards you device would be tagged 20, and you device would need to understand that tag..
