VLAN can't ping pfSense address
-
what are you rules on this new vlan interface?
-
all traffic is allowed. or am I wrong?
-
@daniel1972 said in VLAN can't ping pfSense address:
all traffic is allowed. or am I wrong?
You are wrong, IPv6 is not allowed.
Here it is working without a problem. -
@bob-dig , yes, you are wright. We dont use IPv6. That's all.
I have found a clue.
My traffic is send to Internet. I need to know why.
192.168.5.14 is a pc in my LAN. 192.168.20.11 is my Server 1.
-
@daniel1972 said in VLAN can't ping pfSense address:
My traffic is send to Internet. I need to know why.
192.168.5.14 is a pc in my LAN. 192.168.20.11 is my Server 1.This typically hapens when the destination IP doesn't lie within one of the networks which are assigned to pfSense and there is no other appropriate route defined.
I assume, 192.168.20.11 is in the concerned VLAN with ID20.
Possibly you've set a wrong mask for that interface? -
So your trying to ping pfsense 20.11 address from a different network this 192.168.5 - what are the rules on this interface. I would guess your forcing traffic out your internet gateway which is why its sending traffic there.
Look to bypass policy routing.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
I thought you couldn't ping the pfsense 20.x address from something on the 20 vlan..
-
-
@johnpoz said in VLAN can't ping pfSense address:
I thought you couldn't ping the pfsense 20.x address from something on the 20 vlan..
That's true too.
-
-
@johnpoz thanks. I solve routing issue using your the link you share.
Unfortunatelly I can't solve the traffic issue inside VLAN 20.
But Iam gonna give some try to switch config.I guess the problem is there right now.
Thanks.
-
Also configured the servers (ESXi) with vlan ID 20.
How is pfsense connected to the network - via a switch? If vlan 20 is tagged in pfsense, then it needs to be tagged on your switch port its connected to.
When it comes to the connection into esxi. What vswitch and port group is connected to? If you want esxi to pass the tags then your vswitch/port group needs to have vlan ID 4095 set to pass the tags.
Or you can just let esxi handle the tags and set them on your vswitch/port group and the VM interface connected to this would not have any tags set.
-
@johnpoz said in VLAN can't ping pfSense address:
How is pfsense connected to the network - via a switch? If vlan 20 is tagged in pfsense, then it needs to be tagged on your switch port its connected to.
Yes. pfsense connects via switch. Vlan is tagged in pfsense:
And it's tagged on switch to ( as trunk port)
When it comes to the connection into esxi. What vswitch and port group is connected to? If you want esxi to pass the tags then your vswitch/port group needs to have vlan ID 4095 set to pass the tags.
The switch ports where ESXi is connected are trunked to. and VLAN 20 is configured at ESXi management NIC.
Iam reading this:
https://docs.netgate.com/pfsense/en/latest/recipes/switch-vlan-configuration.html
To try to understand a little bit more about the correct config.
I have change the switch without success. Iam gonna set servers ports to access and remove all vlans config from switch and ESXi to try to setting this up from bottom to top.If setting ESXi without vlan config and switch ports as access, then I guess if the problem still persist I will have to take a look at pfsense, but if the problem dissapear then I have to take a look at switch config.
Unfortunatelly I am not a pfSense neither networking expert. So I can't tell yet where the error is.
Thanks for your time.
Or you can just let esxi handle the tags and set them on your vswitch/port group and the VM interface connected to this would not have any tags set.
-
@daniel1972 said in VLAN can't ping pfSense address:
VLAN 20 is configured at ESXi management NIC.
So your trying to get to esxi managment? Or a vm?
I would suggest just connect a normal PC to the port - would just be access port in vlan 20.. does that work?
esxi and vlan with tagging can be bit much for someone new to it.. Are you doing VST or VGT, or do you have multiple interfaces in your esxi host and going to do EST?
This might help
https://kb.vmware.com/s/article/1003806But I would get your switch and pfsense working with just a PC ending up in the vlan you want first before playing with esxi and vlans.
-
@johnpoz Thanks for your help. Iam gonna try with a PC as you said in a access port.
Well I really don't know wich virtual tagging method are gonna be finally used. That's an integrator VMWare consultant matter.
Iam trying to figure it out why is this enviroment not working (it's someway similar to another ones we alredy had)
But following your tip Iam gonna start from simplest config as I can.
Thanks again.
-
I had setup a Notebook in an access port with an IP in VLAN 20 range (192.168.20.64) and can't ping it at all.
I just get Destination Host Unreachable from this notebook and from one ESXi server (removed vlan config and set switch port to access).
Iam planning to restart pfSense. Not more changes for today.
Thanks.
-
@daniel1972 said in VLAN can't ping pfSense address:
Iam planning to restart pfSense.
That not going to fix anything.. The only time you would ever have to reboot pfsense is on an upgrade..
What switch are you setting vlans on? Is this a netgate appliance - and you are using the switchports on it?
Setting up vlans is literally 30 seconds.. If you working with netgate appliance and you wanting to put port in a vlan - your going to have to show your switch config from your appliance.
If this is some other switch?
-
@johnpoz thanks for your kind help.
well, at least I learnt something (when to restart pfsense).
I have found this in my arp table:
Still can't figure it out what is happening here (pfsense or switch config).
Iam gonna try a couple of things and then upload switch config. It's a CISCO SG-250. Very simple switch.
Iam using it to test this environment and then move to production one. -
Well lets see the config from your 250, I have 350s
Yeah your right simple config.. Like I said this is 30 seconds.. Did you actually create vlan 20 in your cisco switch?
pfsense -- trunk 20T -- cisco -- Acess 20U --- PC
incomplete in the arp table - just means nothing answered for the IP you arp for
here
[21.05-RELEASE][admin@sg4860.local.lan]/root: ping 192.168.9.44 PING 192.168.9.44 (192.168.9.44): 56 data bytes ^C --- 192.168.9.44 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss [21.05-RELEASE][admin@sg4860.local.lan]/root: arp -a | grep 192.168.9.44 ? (192.168.9.44) at (incomplete) on igb0 expired [ethernet] [21.05-RELEASE][admin@sg4860.local.lan]/root:Because there is no 9.44 - You have a problem with just layer 2 connectivity if you can not arp the mac
I create a new VLAN (ID 20) in an OPT Interface.
So is there a native network on this opt interface? Do you have the interface enabled?
-
@johnpoz here it is, switch config:
VLANs:
1 - Not used at all
3 - traffic alredy passing across pfsense (its working)
20 and 25 - My New VLANs.Iam just only talking about VLAN 20 because I assume that if a fix one, fix both.
Switch:
ports: 1-4 trunk ports (1st. attempt)
port: 10 - VLAN 20 Untagged port for my laptop
ports: 13-16 untagged ports on VLAN 20 (where my hosts are right now)
port 23: where pfsense is connected to.
port 24: VLAN 3 traffic (working Ok)That's all.
-
Why all the I vlans (internal used)?
You don't have a PVID set? Your access 20U port should really show 20UP, Without the pvid being set for the vlan, it would default to 1..
Why are you tagging vlan 1 on port 23?
Here - so 5 is going to pfsense that has native network (vlan2) and vlans on it tagged.
Port 16 goes to a rasberry pi in my vlan 3
Notice the P - you need that set on access port or even trunk port where there is going to be untagged traffic so switch knows what vlan any ingress traffic it sees into that port what vlan its on.
