Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why might it be that a system on the same vlan not be accessible by other systems?

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    vlan network problem inaccessible
    2
    5
    401
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      uquevedo
      last edited by

      Hi Everyone,

      I'm trying to make a somewhat isolated environment for testing, and I'm running into an issue where systems whose network interfaces are tagged to be a certain vlan are not accessible by other systems on the same vlan.

      The setup is as follows:
      RHEL9.2 Host System: 10.32.40.9 - KVM host with vlan tagged [3240] network interface included into a bridge interface, this is so that the guest VM would be assigned the bridged network interface with the vlan for testing.
      Ubuntu 22.04 Guest System: 10.32.40.10 - Guest VM with the bridged network interface assigned.
      pfSense CE 2.6: 10.32.40.1 - The vlan [3240] is defined for one of the interfaces as well as a few other interfaces that host other vlans.

      The guest Ubuntu system [10.32.40.10] can "see" the pfSense system [10.32.40.1], but I was thinking that the RHEL9.2 Host System [10.32.40.9] would be accessible by both the guest system and the pf Sense system, but any attempt to ping/connect to 10.32.40.9 from 10.32.40.1 and 10.32.40.10 fail.

      I've reconfigured the firewall rules for the interface that the vlan [3240] to allow any/any, so I don't think anything should be blocked.

      My question is, why might it be that the host IP address 10.32.40.9 is not accessible from 10.32.40.1 or 10.32.40.10 even though they are all I think on the same vlan?

      I know this is kind of vague, so if there's any other information I can provide to help flesh things out, please let me know.

      1 Reply Last reply Reply Quote 0
      • Dobby_D
        Dobby_
        last edited by

        @uquevedo said in Why might it be that a system on the same vlan not be accessible by other systems?:

        I've reconfigured the firewall rules for the interface that the vlan [3240] to allow any/any, so I don't think anything should be blocked.

        Did you also open that in RHEL9.2 and Ubuntu? I mean have
        they internal firewalls such App Amor and something should
        be opened there too??

        #~. @Dobby

        Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
        PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
        PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

        U 1 Reply Last reply Reply Quote 0
        • U
          uquevedo @Dobby_
          last edited by

          @dobby_ said in Why might it be that a system on the same vlan not be accessible by other systems?:

          Did you also open that in RHEL9.2 and Ubuntu?

          Yes, the firewall for both are disabled. I purposefully disable firewalld in RHEL installs and the ufw in Ubuntu seems to install inactive.

          Just for reference, here's how the RHEL bridge interface is configured:
          Screenshot 2023-05-16 at 6.12.05 PM.png

          Details of the enp113s0.3240 interface:
          Screenshot 2023-05-16 at 6.13.02 PM.png

          The gateway is missing from the bridge because of the routes I have configured to be able to get to the other vlan networks I have configured:
          Screenshot 2023-05-16 at 6.28.32 PM.png

          A system on the 3230 vlan network [10.32.30.100] can ping 10.32.40.1 and 10.32.40.10, but not 10.32.40.9.

          I should be able to ping the host IP 10.32.40.9 from the any system that is on the same vlan/network or from any other system that knows how to get to that network with the appropriate routing configured, right?

          Or rather, since the bridged interface on the RHEL system's connection is tagged with vlan 3240, shouldn't other systems configured similarly or able to access this network be able to communicate with this system?

          U 1 Reply Last reply Reply Quote 0
          • U
            uquevedo @uquevedo
            last edited by uquevedo

            Realized that the gateways were kind of misconfigured and that the 10.32.40.0 network shouldn't be in the routing destination, but the 10.32.30.0 network should be:
            Screenshot 2023-05-17 at 7.07.08 AM.png

            U 1 Reply Last reply Reply Quote 0
            • U
              uquevedo @uquevedo
              last edited by

              If it'll help, some further details about my setup, everything is connected by Unifi switches that are vlan capable, but not all of the ports are specifically configured to be on a vlan.

              I've been doing fping tests just to see what can be seen through a few different systems, and below is my findings.

              From a system that is connected to a port designated with vlan 3220 [10.32.2.0 network]:

              uquevedo@ubence-air-wired ~ % fping -ga 10.32.40.1 10.32.40.254
10.32.40.1
10.32.40.10

              From the VM itself that is configured with the bridge interface to vlan 3240:

              uquevedo@kea-testing:~$ fping -qga 10.32.40.1 10.32.40.254
10.32.40.1
10.32.40.10

              From a system that is connected to a port designated with vlan 3230 [10.32.3.0 network]:

              [uquevedo@fedora-system ~]$ fping -ga 10.32.40.1 10.32.40.254
10.32.40.1
10.32.40.10

              From the actual RHEL9.2 host system, which of course can ping the IP address:

              [uquevedo@rh-vm01 ~]$ fping -ga 10.32.40.1 10.32.40.254
10.32.40.1
10.32.40.9
10.32.40.10

              There are many bridged interfaces on the host system connecting to various vlan tagged interfaces:
              Screenshot 2023-05-17 at 7.13.36 AM.png

              The bridge0 interface is a non-vlan tagged interface [vlan1?] and is accessible to all systems on the network.

              I was under the assumption that if a network interface was tagged with vlan information that it would be accessible to other systems that are part of that same vlan?

              Another thing about my setup is that these vlans are configured on a pfSense box for lab purposes, they are not configured on my main pfSense box [which I don't think matters]. So even though the opt ports of this system are technically on their own network, they are connecting to my main network.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post