Weird VLAN issue
-
Hello Everyone!
I have an issue plaguing one of my VLANs.
I have blown it out and rebuilt it several times.
Soo on to the problem...I have an XG-7100 with a LAN and 2 VLANS, LAN, VOICE, and GUEST.
LAN is 10.33.1.1
VOICE is 10.50.1.1
GUEST is 10.60.1.1Firewall rules are set to allow all.
LAN can ping GUEST but not VOICE
GUEST can ping LAN and VOICEIf i change the VOICE interface from a /24 to a /32 save and apply changes then change it back, LAN can ping VOICE for about 5 seconds before dropping back out.
It's not a switch issue, I have verified all connectivity thru there.
I have spun up a test VLAN and ws able to ping it just fine.It is literally just the VOICE VLAN I cannot ping.
Anyone have any ideas??
Thanks in advanced!
-
You can not ping the voice interface IP, or you can ping devices on the voice vlan?
Can a device on lan ping the voice interface IP 10.50.1.1? And your rules on lan are any any? If not then you have a mask issue most likely.
-
That is correct. I can’t ping either the interface ip or any devices on that interface.
All the interfaces are setup as a /24.I can ping the voice interface and associated subnet from all interfaces except The LAN.
-
lets see your full Lan rules, and do you have any rules on your floating tab.. You don't have a gateway set on your lan? Are you policy routing traffic out a gateway, ie do you have vpn setup on pfsense?
-
No floating rules.
No Gateway on the LAN.
The only thing special I have setup is a Multi-WAN redundant setup.Here is a really big kicker,
I have a site-to-site vpn that can ping the VOICE interface and associated devices. -
Your wan would have nothing to do with pinging the voice..
your not doing any odd outbound nat? Its just auto? What is the mask on your lan and your voice.. Lets see the output of your routing table
Also validate the mask on your client.. I Don't really see how that could be an issue then.. lets say you had a /19 then that would end at 63 and you shouldn't be able to ping guest either. And if you had 20 it would be at 47..
But yeah very odd. But lets validate the setup of the voice and lets see your routing table.. Do you have some odd route sending it elsewhere?
what are you using on your tunnel network for your site to site - and what are the networks on the other side of the vpn?
-
NAT is set at Auto.
Endpoint for site-to-site is 10.34.1.0/24 connecting to 10.33.1.0/24 and 10.50.1.0/24
Client is pulling from pFsense DHCP -
Yeah that all looks fine.. That makes no sense that you can not ping 10.50.1.1 from client on 10.33.1/24
When you ping the that IP from a client, you sniff on lan on pfsense - and you see the traffic?
You got no port forwards setup?
-
Packet capture shows data flowing to pFsense, but nothing coming back.
No port forwards. -
That is very odd.. So you see packet to 10.50.1.1 in the packet capture. And nothing in the log that it was blocked?
But you can ping 10.60.1.1 from lan just fine?
-
Yup, Yup, and Yup!
Other then changing the VOICE subnet, i don't know what to do.
-
Yeah at loss, lets see if @Derelict or @stephenw10 are around and might have some ideas
-
I have a site-to-site vpn that can ping the VOICE interface and associated devices.
What are the Phase 2 traffic selectors defined there?
Anything silly like captive portals?
-
OMG!
I took a look at the settings for the VOICE Phase 2 and for some reason had the remote subnet setup as my LAN subnet.
I can now ping and access from the LAN.
Well, I'm a special one!
Thanks everyone for your help! Sorry to waste your time!