[SOLVED] Problem Vlan Trunk with cisco switch
-
PfSense does have Packet Capture, but I find Wireshark is much more useful.
Just want to mention that it is possible to use tcpdump from the shell with '-e' to see VLAN tags.
Agree that mirror port gives some benefits, but for quick check on pfSense trunk port tcpdump will do the job perfectly. Just my 2¢. -
One nice feature of Wireshark is you can use both capture and display filters.
-
I FINALLY MANAGED to make wireshark work (update, change npcap with winpcap, update gns3…)
here is the capture attached between the switch and pfsense, i really dont get why i didnt get any problem when using a normal router
i m really stuck...
whenever something is related to a vlan interface in pfsense that doesnt work for me : the parent interface is correctly enabled with no ip, the vlan interface is set with correct ip and mask, the link is correctly set, the firewall rules in the parent and vlan interfaces are set to allow anything
is the VTP domain the problem ? i have also set VTP mode to transparent
[Between pfsense and switch.pcapng](/public/imported_attachments/1/Between pfsense and switch.pcapng)
[between switch and end router.pcapng](/public/imported_attachments/1/between switch and end router.pcapng) -
I've just looked at the switch - pfsense capture. All I see is arp requests, on VLAN 20, from 10.4.20.2 to 10.4.20.1, but no replies along with some CDP (irrelevant) and LOOP. What is the LOOP doing there? If you run Packet Capture on opt4 (VLAN 20), do you see the arp requests from 10.4.20.2? Do you see them on any interface? Also, according to your diagram, the PC traffic should be on VLAN 10 between the switch and pfSense. Why are those arp requests on VLAN 20?
On switch - router, I see those arp requests from 10.4.20.2 on native LAN. What are they doing there? I thought traffic to the router should be on VLAN 20 at that point.
It looks like you haven't got the switch configured properly.
-
i just want to make work one of them so i put the start capture between pfsense and switch, then switch and end router which is the end device showed at the bottom right.
i dont know why the loop is there
the interface of the router is on vlan 20, the one with the pc is on vlan 10.
as for the int giga 0/1 connected to the router is correctly configured : switchport mode access, and switchport access vlan 20
for the giga 0/0 connected to pfsense : switchport mode trunk, switchport trunk encapsulation dot1q
-
the interface of the router is on vlan 20, the one with the pc is on vlan 10.
Yet the capture shows the arp request on VLAN 20. That tells me the port you think is on VLAN 10 is actually on 20.
as for the int giga 0/1 connected to the router is correctly configured : switchport mode access, and switchport access vlan 20
Then why does the arp request for 10.4.20.1 appear on the native LAN going to the router? Isn't that a different subnet from the PC? Arp is a broadcast and routers don't normally pass broadcasts.
If I'm not mistaken, the PC is on 10.4.10.0 /24 & VLAN 10 between the switch and pfsense. The router is on 10.4.20.0 /24 and on VLAN 20 between the switch & pfsense.
Since those are separate subnets, packets from the PC should not appear at the router, unless forwarded by pfSense. Yet, the PC pfSense link shows arp from the PC on VLAN20 to pfSense and then appearing on the router native LAN, with the same MAC address. This proves that you've got both switch ports on the same VLAN. Even with routed packets, the MAC address should contain the MAC from the pfSense interface. Arp packets shouldn't make it between the 2 VLANs at all.
-
I assure you that :
int giga 0/1 (connected to pc) is switchport mode access vlan 10
int giga 0/2 (connected to end router) is switchport mode access vlan 20i see that its normally done when i do a sho int status
and int giga 0/0 (connected to pfsense) is trunk with encapsulation dot1Q
i changed the switch with a new switch with another config type and everything, configured it, and made it work with router (in the place of pfsense), then tried with pfsense, still not working
router
|
switch
/
PC end routerthis is working, but with pfsense its not :
pfsense
|
switch
/
PC end routerhere i attached the new wireshark files, this time i see the icmp going in vlan 20 to the pfsense, then the problem is in pfsense i think… (no response)
i see there no arp
-
Just so you know the pc is not started, i work with the router, because if it works for the end router in vlan 20, it will work for the pc.
[Between pfsense and new switch.pcapng](/public/imported_attachments/1/Between pfsense and new switch.pcapng)
[between end router (bottom right) and new switch.pcapng](/public/imported_attachments/1/between end router (bottom right) and new switch.pcapng) -
Just so you know the pc is not started, i work with the router, because if it works for the end router in vlan 20, it will work for the pc.
Then where is that arp request coming from? If you want help, you need to accurately describe the network. We can't just assume what you think is correct.
-
the arps are coming from the end router look at the ip adresses it's 10.4.20.1(int VLAN20) and 10.4.20.2(end router) it's you who is confused where do you see an arp coming from the pc
in the mac addr table in this new switch with pfsense, i dont have mac addr from the pfsense int with any vlan, just the one with the router
-
Do i need a static route from pfsense to switch ??? the switch is only a layer 2 switch, it cannot manage to make it work ???
-
when trying to ping from pfsense, there are no arp replies : the router doesnt reply to pfsense ! and this reply is shown on the other side !
My guess is that the switch doesnt let throught this arp, even his mac address is not showing pfsense mac address interface
OK WHEN activating ip cef command in the switch those arp begin to pass ! now, i get only vlan 1 behind the mac address of pfsense, still no vlan 10 or 20 even thought the ping starts from the end router and the port connected to it is in vlan 20
OK i added statically the mac address in the switch, and the arp entry in the end router, the ping request goes throught, the ping response stops at the switch, AND ALSO THE PING REQUEST IS TAGGED VLAN 20 but the ping response is not tagged !!
-
Post a screen shot of the pfSense Interfaces > Assignments screen
-
the arps are coming from the end router look at the ip adresses it's 10.4.20.1(int VLAN20) and 10.4.20.2(end router) it's you who is confused where do you see an arp coming from the pc
In your first post, you say:
the PC has as ip addr: 10.4.10.2
Maybe I'm confused because I read what you wrote.
Do i need a static route from pfsense to switch ??? the switch is only a layer 2 switch, it cannot manage to make it work ???
You don't route to switches. You route to IP networks. Switches are transparent, forwarding only on MAC addresses.
My guess is that the switch doesnt let throught this arp, even his mac address is not showing pfsense mac address interface
Nonsense. Switches pass Ethernet frames, no matter what they're carrying.
AND ALSO THE PING REQUEST IS TAGGED VLAN 20 but the ping response is not tagged !!
I mentioned that in an earlier reply. You've got a configuration error somewhere. I'd suspect the switch.
-
here is the assignements screen attached
to answer you JKnott 10.4.10.2 is not in the 10.4.20.0/24 subnet and there are NO ARP with the PC address in the wiresharks i provided that's why i dont know what you're talking about
the switch conf also attached if you want, but i doubt that since its working with the router
 -
When you remove pfSense vm from the testbed, you also remove VMware Workstation and the physical nic from the testbed. I suggest that you make sure the physical nic on the host OS is able to handle a vlan trunk first. Then check that VMware Workstation vSwitch is configured to handle a vlan trunk as well. If all checks out then share the test results here if pfSense is still not handling the vlan trunk.
I am guessing that the drivers for your nic does not handle vlan trunk.
-
Please can you show me how to do that? when i went to the vmnet 7 configured i fould out that priority and vlan tag enabled and no value for vlan id i dont even know if this is there.
here attached the conf for the VMNET 7 used in the int of pfsense, and also vmnet0 and vmnet 8, as for vmnet 1 to 6 and 9 to end, same config as vmnet 7 but different subnet ip (as shown also in the attached files)
 -
First which OS (windows 10, linux) is hosting VMware Workstation? Which hardware nic is installed (intel i350)? Which driver (intel v23.1)?
-
windows 10,
as for the nic its in the attachement
 -
Are you sure your nic driver is capable of handling vlan trunk?
