VLAN can't ping pfSense address
-
Well lets see the config from your 250, I have 350s
Yeah your right simple config.. Like I said this is 30 seconds.. Did you actually create vlan 20 in your cisco switch?
pfsense -- trunk 20T -- cisco -- Acess 20U --- PC
incomplete in the arp table - just means nothing answered for the IP you arp for
here
[21.05-RELEASE][admin@sg4860.local.lan]/root: ping 192.168.9.44 PING 192.168.9.44 (192.168.9.44): 56 data bytes ^C --- 192.168.9.44 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss [21.05-RELEASE][admin@sg4860.local.lan]/root: arp -a | grep 192.168.9.44 ? (192.168.9.44) at (incomplete) on igb0 expired [ethernet] [21.05-RELEASE][admin@sg4860.local.lan]/root:Because there is no 9.44 - You have a problem with just layer 2 connectivity if you can not arp the mac
I create a new VLAN (ID 20) in an OPT Interface.
So is there a native network on this opt interface? Do you have the interface enabled?
-
@johnpoz here it is, switch config:
VLANs:
1 - Not used at all
3 - traffic alredy passing across pfsense (its working)
20 and 25 - My New VLANs.Iam just only talking about VLAN 20 because I assume that if a fix one, fix both.
Switch:
ports: 1-4 trunk ports (1st. attempt)
port: 10 - VLAN 20 Untagged port for my laptop
ports: 13-16 untagged ports on VLAN 20 (where my hosts are right now)
port 23: where pfsense is connected to.
port 24: VLAN 3 traffic (working Ok)That's all.
-
Why all the I vlans (internal used)?
You don't have a PVID set? Your access 20U port should really show 20UP, Without the pvid being set for the vlan, it would default to 1..
Why are you tagging vlan 1 on port 23?
Here - so 5 is going to pfsense that has native network (vlan2) and vlans on it tagged.
Port 16 goes to a rasberry pi in my vlan 3
Notice the P - you need that set on access port or even trunk port where there is going to be untagged traffic so switch knows what vlan any ingress traffic it sees into that port what vlan its on.
-
@johnpoz Yes I is Internal.
Well, that image is from a similar switch. But as you can see in my switch there is any port with P, even those ones that haven't been configured (like 5,6, or 7).
Iam gonna trying to force it.
Thanks.
-
@daniel1972 said in VLAN can't ping pfSense address:
Iam gonna trying to force it.
On the top of your listing of where you show - does it show P for PVID.. A port has to have a vlan that it puts untagged traffic too.. It not like something only unique to a specific cisco switch ;)
Any managed/smart switch that understands them has to be able to set the pvid... Maybe your switch auto changes it to be what the Access vlan is - but I doubt that to be honest.
Out of the box switch would be vlan 1 would be native, and all ports would have PVID of 1.. If you changed yoru default native vlan.. Then the default of all ports would be that vlan.. There has to be a place to set the pvid of port you put in either trunk mode with native vlan or on your access ports.. Even cheap $40 smart switches allow this.
-
@johnpoz Yes. I agree. It's just that I alredy changed, but it's not reflected in the administrative console.
There is a Join VLAN button, where you can setup this. Iam gonna send a pic. Pheraps Iam missing an step somewhere....
Thanks-.
-
@johnpoz here is what Iam talking about:
-
Ok - not how I would do it at all ;)
There is really zero use case for "general" ports - seems like your just kind of clicking random shit hoping something works to be honest..
General allows for multiple untagged - which is really a big NO NO!!
Again going to ask why you have vlan 1 tagged on the port that is connected to pfsense? ge23.. What is this actual interface setup on pfsense? That is showing 3U and 1T just makes
What is the physical configuration of this interface on pfsense. So it has a native network whatever your vlan 3 is, and then 2 vlans setup on it 20 and 25?
-
@johnpoz said in VLAN can't ping pfSense address:
Ok - not how I would do it at all ;)
There is really zero use case for "general" ports - seems like your just kind of clicking random shit hoping something works to be honest..You are 110% right. :-)
Iam just trying things. Iam on my own on this. No fellas to ask at my side.General allows for multiple untagged - which is really a big NO NO!!
Second thing learnt.
Again going to ask why you have vlan 1 tagged on the port that is connected to pfsense? ge23.. What is this actual interface setup on pfsense? That is showing 3U and 1T just makes
Vlan 1 is here just because is default config switch. I just use a spare switch to test things in order to not touch production one. Just want to make this work here and then move to production one. Do you believe is messing things up?
I did this to trying to understand where problem is. I belived that if a change switch and the problem still persist then I needed to focus on pfsense. But honestly I do not where else to look at inside pfsense.
Pheraps I need some professional help here.
What is the physical configuration of this interface on pfsense. So it has a native network whatever your vlan 3 is, and then 2 vlans setup on it 20 and 25?
Pfsense have physical Interface (em4) where VLANs 20 and 25 was created. I set native network traffic to vlan 3, thats right (it's the em4 nic traffic alredy exists before I create this VLANs). And vlan 20 and 25 are the new VLANs.
I could try some other things like add a new NIC. But that's not the way I wan't to go.
-
Lets see your interface config for this em4.. This is not a VM is it? This is a physical box..
example here is my interfaces on my pfsense
So vlan 4 and 6 are tagged, the native network on this interface is vlan 2 on my switch. That is port ge5 from above. BTW - helping you helped me trim some no longer used vlans from my switch configs ;) So now its config loos like
sg300-28#sho run int ge5 interface gigabitethernet5 description "sg4860 WLan and vlans" switchport trunk allowed vlan add 4,6 switchport trunk native vlan 2 ! sg300-28#Here is device I have on vlan 4, which port ge27..
sg300-28#sho run int ge27 interface gigabitethernet27 description casetahub switchport mode access switchport access vlan 4 ! sg300-28#This is pretty basic stuff.. So we are missing piece of the puzzle here.. If your port on your switch to pfsense for your vlan is tagged, and pfsense has the same tag and setup and enabled. And then you create an access port and put it in that vlan.. Any device you plug into that port would now be on that vlan and pfsense should see its dhcp for example. And that device and pfsense should be able to arp for the each others IP.. Be it firewall or firewall rules blocking all traffic.
My thing on ge27 is just dumb iot device so I can not arp from it. But you can see pfsense sees its mac..
[21.05-RELEASE][admin@sg4860.local.lan]/root: ping 192.168.4.81 PING 192.168.4.81 (192.168.4.81): 56 data bytes 64 bytes from 192.168.4.81: icmp_seq=0 ttl=64 time=0.516 ms 64 bytes from 192.168.4.81: icmp_seq=1 ttl=64 time=0.300 ms 64 bytes from 192.168.4.81: icmp_seq=2 ttl=64 time=0.312 ms ^C --- 192.168.4.81 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.300/0.376/0.516/0.099 ms [21.05-RELEASE][admin@sg4860.local.lan]/root: arp -a | grep 192.168.4.81 casetahub.local.lan (192.168.4.81) at a8:1b:6a:24:ec:26 on igb2.4 expires in 1151 seconds [vlan] [21.05-RELEASE][admin@sg4860.local.lan]/root: -
@johnpoz
Iam just replying quickly to share the info. Then I have to read, undestand & process your mail.And. Yes IT'S a VM. (but it allredy have some working VLANs on it.)
-
@daniel1972 said in VLAN can't ping pfSense address:
(but it allredy have some working VLANs on it.)
So you adjusted your vm software for allowing these new vlans? Calling out vmotion - so esxi? What do you have setup for your vswitches, if you want to pass tags to pfsense interface vnic like yoru doing with vlans setup than the vswitch vlan id would need to be set as 4095, etc.
Where do you have other vlans working on this em4? Your saying vlan 25 works, but vlan 20 doesn't
-
Iam gonna check that. For sure that vmnic is not configured to vlans traffic.
Iam gonna let you know if I can make things to work.
Thanks.
-
@johnpoz That WAS all the problem.
Thank you so much.
I need to reconfigure all the environment and remove all those "general" VLANs I have created.
Thank for your time and kindly explanations.
This is my complete fault, not to check if THAT nic allow VLANs traffic.
Thanks again.
