PFsense Cisco 2950 802.1q *** Not able to ping
-
Before posting this issue I did search through a few documentations and set up for 802.1q in Pfsense seemed to be straight forward. However I seem to be missing a piece of the puzzle. My test system consist of Pfsense 2.3.2-RELEASE-p1 installed on a four port older Astaro firewall appliance. The interfaces eth0 and eth1 are used for WAN and LAN which work just fine. I am testing the Vlan assignment with eth2 which in Pfsense it is identified as fxp2 which is connected to a test Cisco 2950 with 802.1q enabled. I did create an vlan interface assigned to fxp2 with a specific vlan tag (105) and assigned a static IP address within the subnet. I also created inbound and outbound ICMP rule for the interface. However I cannot ping the IP address from the same IP subnet. JUst to be certain the port connection to the switch I did test the fxp2 interface and the firewall without VLAN tagging/ switch trunking and it worked just fine. I believe I am missing something very simple. Can you help?
-
You'll have to provide us more information, such as:
1. The VLAN and interface configuration details from the pfSense GUI
2. The output of "ifconfig -a" from Diagnostics > Command so we can see the actual underlying interface settings
3. The firewall rules for the interface(s) in question
4. The switch config for the port(s) connected to pfSense, and any VLAN config on the switch (vlan database or vtp or whatever that old 2950 uses) -
Interface: Vlan105test ethport: fxp2 (opt1) Vlan tag:105 priority:0
2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root: ifconfig -a
fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9c
inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::1:1%fxp0 prefixlen 64 scopeid 0x1
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9d
inet6 fe80::21a:8cff:fe11:459d%fxp1 prefixlen 64 scopeid 0x2
inet 208.82.183.12 netmask 0xffffff00 broadcast 208.82.183.255
nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9e
inet6 fe80::21a:8cff:fe11:459e%fxp2 prefixlen 64 scopeid 0x3
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol ="" _magic,vlan_hwtso="">ether 00:1a:8c:11:45:9f
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=100 <promisc>metric 0 mtu 33184
pfsync0: flags=0<> metric 0 mtu 1500
syncpeer: 224.0.0.240 maxupd: 128 defer: on
syncok: 1
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
nd6 options=21 <performnud,auto_linklocal>fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 15 00
options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 105 vlanpcp: 0 parent interface: fxp2
[2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root: ifconfig -a
fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9c
inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::1:1%fxp0 prefixlen 64 scopeid 0x1
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9d
inet6 fe80::21a:8cff:fe11:459d%fxp1 prefixlen 64 scopeid 0x2
inet 208.82.183.12 netmask 0xffffff00 broadcast 208.82.183.255
nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9e
inet6 fe80::21a:8cff:fe11:459e%fxp2 prefixlen 64 scopeid 0x3
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9f
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=100 <promisc>metric 0 mtu 33184
pfsync0: flags=0<> metric 0 mtu 1500
syncpeer: 224.0.0.240 maxupd: 128 defer: on
syncok: 1
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
nd6 options=21 <performnud,auto_linklocal>fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 105 vlanpcp: 0 parent interface: fxp2
[2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root:Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0 /0 B
IPv4 IGMP VLAN105TEST address * VLAN105TEST net * * none
0 /0 B
IPv4 ICMP VLAN105TEST net * VLAN105TEST address * * noneinterface FastEthernet0/35
switchport access vlan 105
switchport trunk encapsulation dot1q
switchport mode trunk
!</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol ></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast> -
A note:
The information I provided for the switch port (item #4) is now a Cisco 3500XL. Thanks
-
interface FastEthernet0/35
switchport access vlan 105
switchport trunk encapsulation dot1q
switchport mode trunkThat config is wrong - your saying its both an access port and a trunk port..
-
interface FastEthernet0/35
switchport access vlan 105
switchport trunk encapsulation dot1q
switchport mode trunkThat config is wrong - your saying its both an access port and a trunk port..
I've seen that before, when the port is set to a trunk using "switchport mode trunk" it will disregard the "switchport access vlan 105"
IMO you should either default the interface using the following when in config mode default interface f0/35 and redo your config.
Or erase the startup file to default the switch to out of box using the erase startup command and delete the van.dat file using delete flash:/vlan.dat
You can also default the config by keeping the mode button pressed on the bottom left and waiting for 30 secs.
-
I have seen it lots of times as well - its borked! Port is not going to work how they want with such a config.
-
Not sure why it was there but I removed the access switch port part:
Current configuration:
!
interface FastEthernet0/35
switchport trunk encapsulation dot1q
switchport mode trunk
endStill no luck!
-
Ok so a client in this vlan on some other Access port.. Can it ping pfsense IP on the vlan interface?
fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255Looks to be 192.168.5.12, is your cllient on this vlan getting IP from dhcp from pfsense. Do you see the mac address for 192.168.5.12 in your client after you try and ping?</rxcsum,txcsum></up,broadcast,running,simplex,multicast>
-
There is no DHCP and the static IP is assigned. Just to make sure the ports on the firewall and switch I assigned vlan 105 to the switch port access:
Current configuration:
!
interface FastEthernet0/35
switchport access vlan 105
switchport trunk encapsulation dot1q
endAlso assigned the PFsense Interface with the original IP address and rules to the port directly (no vlan tagging) and below is a ping and arp from a client system that is also on vlan 105:
[root@cache-relay1 ~]# ping 192.168.5.12
PING 192.168.5.12 (192.168.5.12) 56(84) bytes of data.
64 bytes from 192.168.5.12: icmp_seq=1 ttl=64 time=2.38 ms
64 bytes from 192.168.5.12: icmp_seq=2 ttl=64 time=0.530 ms
64 bytes from 192.168.5.12: icmp_seq=3 ttl=64 time=0.575 ms
64 bytes from 192.168.5.12: icmp_seq=4 ttl=64 time=0.515 ms
64 bytes from 192.168.5.12: icmp_seq=5 ttl=64 time=0.593 ms–- 192.168.5.12 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.515/0.919/2.385/0.734 ms
[root@cache-relay1 ~]# arp
Address HWtype HWaddress Flags Mask Iface
192.168.5.167 ether 5A:9C:CE:01:45:9B C eth0
192.168.5.251 ether 00:10:DB:08:81:C4 C eth0
192.168.5.191 ether 82:15:47:DE:AE:20 C eth0
192.168.5.12 ether 00:1A:8C:11:45:9E C eth0
192.168.5.165 ether 16:BE:65:AC:CF:3F C eth0
192.168.5.202 ether 76:DA:01:52:6C:60 C eth0
192.168.5.168 ether 32:5D:F3:4C:47:33 C eth0This indicates that my firewall rule is fine as well as the port.
-
Rules (Drag to Change Order) States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions 0 /0 B IPv4 IGMP VLAN105TEST address * VLAN105TEST net * * none 0 /0 B IPv4 ICMP VLAN105TEST net * VLAN105TEST address * * noneThat is pretty nonsensical.
There are no outbound rules on interface tabs. They govern connections coming into the interface they are on.
Note that one rule is ICMP and one is IGMP.
For testing pings from the VLAN105 subnet all you need is that ICMP rule.
Whatever problem you are having is in your switch. Anything on an access port set to VLAN 105 and numbered correctly on that subnet will be able to ping the pfSense interface.
-
!
interface FastEthernet0/35
switchport access vlan 105
switchport trunk encapsulation dot1q
endAs has been said, get rid of the trunk config on your edge device (access, untagged) ports. There is zero reason for that to be there.