Blocked packets on VLan…and no ARP lookup on VLan???
-
Hi there
i got two interfaces, one Broadcom BCM5701 in a Linux Box, and the NS DP83815/16 MacPhyter embedded in the PCengines/WRAP box. Because of VM/Network separation and the lack of a second Interface and no possibility to lay an other patch-cable i'd like to to 802.1q vlan tagging.
i setup a VLAN interface in linux and assigned it a IP:
# vconfig add eth0 144 Added VLAN with VID == 144 to IF -:eth0:- # ifconfig eth0.144 192.168.144.3 up # ifconfig eth0 Link encap:Ethernet HWaddr 00:0D:9D:FF:C8:C1 inet addr:10.80.47.10 Bcast:10.80.47.127 Mask:255.255.255.128 inet6 addr: fe80::20d:9dff:feff:c8c1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:297192 errors:0 dropped:0 overruns:0 frame:4 TX packets:295035 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:62975556 (60.0 MiB) TX bytes:71067760 (67.7 MiB) Interrupt:217 eth0.144 Link encap:Ethernet HWaddr 00:0D:9D:FF:C8:C1 inet addr:192.168.144.3 Bcast:192.168.144.255 Mask:255.255.255.0 inet6 addr: fe80::20d:9dff:feff:c8c1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:328 (328.0 b) # cat /proc/net/vlan/eth0.144 eth0.144 VID: 144 REORDER_HDR: 1 dev->priv_flags: 1 total frames received 0 total bytes received 0 Broadcast/Multicast Rcvd 0 total frames transmitted 6 total bytes transmitted 468 total headroom inc 0 total encap on xmit 0 Device: eth0 INGRESS priority mappings: 0:0 1:0 2:0 3:0 4:0 5:0 6:0 7:0 EGRESSS priority Mappings: #
on the Wrap box i just added, via the webgui, a VLAN interface on SIS0 (LAN):
# ifconfig ath0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet6 fe80::280:48ff:fe7e:4f9e%ath0 prefixlen 64 scopeid 0x1 inet X.X.X.X netmask 0xffffff80 broadcast X.X.X.X ether 00:80:48:7e:4f:9e media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: associated ssid blanet channel 7 bssid 00:80:48:7e:4f:9e authmode SHARED privacy ON deftxkey 1 wepkey 1:104-bit txpowmax 46 protmode RTSCTS wme burst ssid HIDE -apbridge dtimperiod 1 bintval 100 sis0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 options=8 <vlan_mtu>inet6 fe80::20d:b9ff:fe05:c21c%sis0 prefixlen 64 scopeid 0x2 inet X.X.X.X netmask 0xffffff80 broadcast X.X.X.X ether 00:0d:b9:05:c2:1c media: Ethernet autoselect (100baseTX <full-duplex>) status: active sis1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 options=8 <vlan_mtu>inet6 fe80::20d:b9ff:fe05:c21d%sis1 prefixlen 64 scopeid 0x3 inet PublicIP netmask 0xfffff000 broadcast 255.255.255.255 ether 00:0d:b9:05:c2:1d media: Ethernet autoselect (100baseTX <full-duplex>) status: active sis2: flags=8802 <broadcast,simplex,multicast>mtu 1500 options=8 <vlan_mtu>ether 00:0d:b9:05:c2:1e media: Ethernet autoselect (none) status: no carrier pflog0: flags=100 <promisc>mtu 33208 pfsync0: flags=41 <up,running>mtu 2020 pfsync: syncdev: lo0 maxupd: 128 vlan0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet 192.168.144.1 netmask 0xffffffff broadcast 192.168.144.1 inet6 fe80::280:48ff:fe7e:4f9e%vlan0 prefixlen 64 scopeid 0x8 ether 00:0d:b9:05:c2:1c media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 144 parent interface: sis0 #</full-duplex></up,broadcast,running,simplex,multicast></up,running></promisc></vlan_mtu></broadcast,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></hostap></up,broadcast,running,simplex,multicast>
now when i do ping 192.168.144.1 from the Linux box (pinging vlan-if on Linux to the vlan-if on pfsense), i got ARP whois and answers and i got a filter: rule 89/0(match): block in on vlan0: 192.168.144.3 > 192.168.144.1: ICMP echo request, id 26688, seq 17, length 64
ok, the packet gets rejected…i added a firewall rule:
Action: Pass
Interface: LAN144
Protocoll: ANY
Destination: ANYthis rule should cover all ingress traffic on the VLan interface, also the ICMP Echo and answer, not?
even after adding a special rule for ICMP from the appropriate subnet to the VLAN144 interface didn't work, still got no answer.
in fact got no answer from anywhere. not ICMP, not any TCP session, nothing. everything transmitted to the VLan IF on pfsense is blocked by the packetfilter and show's up in the filterlogs.and, never seen before, but the log shows sometime this:
Jun 10 02:45:05 last message repeated 3 times
Jun 10 02:43:09 kernel: arplookup 192.168.144.3 failed: host is not on local network
Jun 10 02:42:30 kernel: arplookup 192.168.144.3 failed: host is not on local networkand infact, the 192.168.144.3 (linux VLan-if) doesnt show up the wrap box ARP table….
anyhow it shouldn't have an impact on these packets, i decreased the MTU on linux to 1492. first i had a unmanaged desktop switch between them, but i removed this one as well and replaced it with a crossover.... without any behavior change...
now, did i something wrong? is the NationalSemiconductor interface not capable of VLantagging althoug i see everything i'd like to have in this vlan, but why is it blocked?
i'm running pfsense 1.0.1 embedded on a pcengines wrap1e203. (http://pcengines.ch/wrap1e203.htm)
cheers, thx and good night
maldex -
Reboot after you setup any VLAN's on 1.0.1, there's a bug somewhere where they aren't brought up until you reboot.
-
Na, solved nothing.
still no answers, still rule 90/0(match): block in on vlan0: 192.168.144.3 > 192.168.144.1: ICMP echo request, and kernel: arplookup 192.168.144.3 failed: host is not on local network
-
Just upgraded to 1.2-Beta1 …. and still the same behavior.....
Jun 10 15:32:21 kernel: arplookup 192.168.144.3 failed: host is not on local network
Jun 10 15:31:59 kernel: arplookup 192.168.144.3 failed: host is not on local networkbut what changed…i dont have the block-log's anymore.
is there a issue with learning the ARP address on .1q interfaces?
-
Your subnet mask on the VLAN is /32. That means only it is on its own IP subnet. You need to change that to whatever you're using on the Linux box (or if you're using /32 there as well, you need to change that to the same on both ends where both IP's are within the same subnet).
-
damn am i a idiot.
thx a lot, that was it!
cheers