PfSense can ping all but one specific IP address in range
-
When I try packet capture from firewall with full detail setting for IP 192.168.88.15, and then ping the VM I get:
07:41:47.733598 ARP, Request who-has 192.168.88.15 tell 192.168.88.254, length 28This is pfSense trying to discover the MAC address of the system with IP address 192.168.88.15. That there is no reply suggests to me one or more of:
1. The "plumbing" linking VMs doesn't include a system with IP address 192.168.88.15
2. Such a system is configured to ignore ARPs.I suggest you do a packet capture in that VM to see if the ARP Requests are reaching it and it is responding.
-
Yes, it is highly likely that the ARP requests are not reaching the VM from the pfSense, but why?
The VM accepts ping and RDP from all other devices in the IP range, so it is not an issues with the VM setup.
It must be some sort of network issue…...
The backupserver hosting the VM is physical, so all the traffic goes through a physical NIC. But why can the server access the VM, while the pfSense cant, when their setup seems identical?
They are in the same IP range, and both are connected to Vlan 88. The backupserver is also connected to Vlan 88.
-
3. It is responding to ARPs but the pfSense box is not seeing the response.
Perhaps the other VMs have already cached the MAC/IP of the server. Is the pfSense box the most recent VM?
Can you ARP for that IP from any other machine?
Steve
-
Hi Steve,
Yes, all machines in the range can ping the VM in the sandbox.
No, the pfSense has been in production for over 1 year.
I'm not an network expert, since it's almost 10 years since i've studied ARP etc., and have forgotten all about it.
I've tryed different IP's for static mapping to the VM in the sandbox, and all the servers can find the VM right away. But pfSense won't.
-
I've tryed different IP's for static mapping to the VM in the sandbox, and all the servers can find the VM right away. But pfSense won't.
I think if you want more specific help you will need to provide much more detail on your configuration. In particular, how pfSense is supposed to communicate with the "problem" VM. I don't know vSphere but I consider it suspicious that your previously posted vSphere configuration screenshot doesn't show the problem VM on the same VLAN as the pfSense x.x.x.254 interface.
-
Ok, i've tryed to make a drawing using paint (yes good old paint :) )
Does this give you guys any possible soulutions or ideas for tools for problemsolving?
-
Hmm. I would try creating a different server in the sandbox and see if the results are any different.
You haven't shown any VLANs on the diagram, I assume everything there is in the same VLAN?
Check the MAC of the sandbox server against the real NIC and anything else in the chain. .20 .22 and .15 are presumably using the same physical NIC. There may be more than one device using the same MAC which is causing pfSense a problem. Do you have any other FreeBSD boxes to test with?
Steve
-
FORM YOU PICTURE SHOW THAT YOU CONFIGURED IPS IN SAME RANGE NO NATING IS DOING THERE . MY SUGGESTION IS TRY TO REMOVE THE TICK FROM Block private networks Block bogon networks FROM THE INTERFACE . THIS MAY SOLVE YOU PROBLEM
-
Been on a long weekend vacation…...
Rake, good suggestion, but unfortunately the boxes are unticked :(
Stephen, the MAC's of the sandbox proxy and real NIC are different.
I have checked the ARP table on the pfSense, and the IP of the sandbox proxy is in the table, although the IP of the VM in the sandbox is not.
Note: I am NOT able to ping the ip of the sandbox proxy from the pfSense firewall either. All other servers in the range can ping the sandbox proxy IP.
I am ever so close to jumping out the window (don't worry, only a 2 feet drop). This problem is just not logical.........
-
So if pfsense is not on the same segment??
The firewall is the one called 254.domain.lan.
A server is the one called 102.domain.lan.
102 can ping VM, but 254 can not.As mentioned above by wallabybob where is this 88.15 box connected to that vswitch? If that vswitch is the 192.168.88.0/24 ??
Show us this box your trying to ping on your vsphere setup. And its ipconfig /all – I am guessing its a windows box?
-
Hi John,
thank you for joining.
If you check the drawing I made on top of page 2 in this tread, you might get the overview you need.
The sandbox proxy is created by the backupserver, and is a linux as far as I know. I have no linux experience.
Let me know if there is any other info you might need.
-
You didn't say whether you have any other FreeBSD machines on your network?
One possibility is that FreeBSD, and hence pfSense, adhere strictly to the rules regarding IPs, routing, subnets etc. Other OSs not so much. Hence it's possible to have a setup that works from Windows and not FreeBSD.Steve
-
No, there are no other FreeBSD machines in that IP range. So maybe this could be relevant. You have any suggestions as to how I might check this? A complete novice with FreeBSD.
I will just point out once more that pfSense can ping the backup server at .20 and all other machines in the range. Only the proxy/VM are 'unpingable'
-
What do you mean by proxy for sandbox? is that just another esxi host? Or other vm, then show us its vwswitch setup, like you did with the esxi host containing the pfsense and 102 VMs
-
You have any suggestions as to how I might check this?
No not really. You could setup a FreeBSD (or some derivative of it) machine and see how that behaves but that's not a quick and easy test. To be honest I doubt that this is the cause but I thought I'd mention it since we seem to be running out of options. The only time I've heard of it was a Windows box that was using a gateway outside of its subnet something that pfSense refused to do in the same situation.
Steve
-
can we see the ipconfig /all from the 102 box that you say can ping this 88.15 box
-
To Johnpoz (the ipconfig /all of the 102, which can ping VM):
Ethernet adapter DOMAIN.LAN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client) #36
Physical Address. . . . . . . . . : 78-2B-CB-49-76-5F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::31dd:2adc:9c3a:9b1e%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.88.254
DHCPv6 IAID . . . . . . . . . . . : 309865419
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-C8-11-52-78-2B-CB-49-76-60The default gateway is the pfSense, and all this works perfectly. The pfSense can also ping 102.
The proxy for the sandbox is created by the backupserver, and is not part of the VMWare enviroment. Please view drawing on top of tread page 2.
-
I expected the above to show 192.168.88.102 not .10 is that just a typo?
Steve
-
Hi Steve,
you are absoluty right. Wrong server ipconfig. This is the config for 102:
Ethernet adapter Domain.lan:Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #
2
Physical Address. . . . . . . . . : 00-50-56-96-42-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c52d:5bbd:1909:a310%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.88.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.88.254
DHCPv6 IAID . . . . . . . . . . . : 318787670
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-36-15-5A-00-50-56-96-42-06 -
I saw your paint drawing.. And it makes no sense to what you mean by Proxy??
What proxy software? Do you mean its doing NAT? How does it proxy?
If you saying 88.102 can talk to 88.15 how does it do it via the proxy?
From your drawing there is no difference between the interface connected to the vswitch for your 88.102 box and pfsense at 88.102
Ok just took a look real quick!!
http://www.veeam.com/vmware-esx-backup.html
And its doing NAT into your sandbox, clearly states the stuff in the sandbox are isolated and you connect to them via a masqueraded IP
http://forums.veeam.com/viewtopic.php?f=24&t=9329&start=15#p40131
Q: How is it possible to access temporary VMs in the isolated network from production network, if VMs in both networks have the same IP addresses?
A: Each temporary VM is assigned so called "masquerade address" from selected masquerade network (part of virtual lab settings). Routing table on Veeam Backup server is automatically updated, and proxy appliance IP address in the production network is assigned as gateway for masquerade network. Acting as gateway, the proxy appliance performs address translation and substitutes masquerade IP address with real IP address in the isolated network. Although this sounds pretty complex, all happens transparently for you as a user.So what was the NAT setup you created when you installed this veem backup - it says you create that scheme when you setup.
