PFsense Cisco 2950 802.1q *** Not able to ping



  • Before posting this issue I did search through a few documentations and set up for 802.1q in Pfsense seemed to be straight forward. However I seem to be missing a piece of the puzzle.  My test system consist of Pfsense 2.3.2-RELEASE-p1  installed on a four port older Astaro firewall appliance. The interfaces eth0 and eth1 are used for WAN and LAN which work just fine. I am testing the Vlan assignment with eth2 which in Pfsense it is identified as fxp2 which is connected to a test Cisco 2950 with 802.1q enabled. I did create an vlan interface assigned to fxp2 with a specific vlan tag (105) and assigned a static IP address within the subnet. I also created inbound and outbound ICMP rule for the interface. However I cannot ping the IP address from the same IP subnet. JUst to be certain the port connection to the switch I did test the fxp2 interface and the firewall without VLAN tagging/ switch trunking and it worked just fine. I believe I am missing something very simple. Can you help?


  • Rebel Alliance Developer Netgate

    You'll have to provide us more information, such as:

    1. The VLAN and interface configuration details from the pfSense GUI
    2. The output of "ifconfig -a" from Diagnostics > Command so we can see the actual underlying interface settings
    3. The firewall rules for the interface(s) in question
    4. The switch config for the port(s) connected to pfSense, and any VLAN config on the switch (vlan database or vtp or whatever that old 2950 uses)



    Interface: Vlan105test  ethport: fxp2 (opt1) Vlan  tag:105 priority:0

    2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root: ifconfig -a
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi   ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9c
            inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::1:1%fxp0 prefixlen 64 scopeid 0x1
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi   ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9d
            inet6 fe80::21a:8cff:fe11:459d%fxp1 prefixlen 64 scopeid 0x2
            inet 208.82.183.12 netmask 0xffffff00 broadcast 208.82.183.255
            nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi   ="" c,vlan_hwtso="">ether 00:1a:8c:11:45:9e
            inet6 fe80::21a:8cff:fe11:459e%fxp2 prefixlen 64 scopeid 0x3
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol   ="" _magic,vlan_hwtso="">ether 00:1a:8c:11:45:9f
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33184
    pfsync0: flags=0<> metric 0 mtu 1500
            syncpeer: 224.0.0.240 maxupd: 128 defer: on
            syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
            nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
            nd6 options=21 <performnud,auto_linklocal>fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 15                                                              00
            options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
            inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
            inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
            vlan: 105 vlanpcp: 0 parent interface: fxp2
    [2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root: ifconfig -a
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9c
            inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::1:1%fxp0 prefixlen 64 scopeid 0x1
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9d
            inet6 fe80::21a:8cff:fe11:459d%fxp1 prefixlen 64 scopeid 0x2
            inet 208.82.183.12 netmask 0xffffff00 broadcast 208.82.183.255
            nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9e
            inet6 fe80::21a:8cff:fe11:459e%fxp2 prefixlen 64 scopeid 0x3
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:1a:8c:11:45:9f
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33184
    pfsync0: flags=0<> metric 0 mtu 1500
            syncpeer: 224.0.0.240 maxupd: 128 defer: on
            syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
            nd6 options=21 <performnud,auto_linklocal>lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
            nd6 options=21 <performnud,auto_linklocal>fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
            inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
            inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
            vlan: 105 vlanpcp: 0 parent interface: fxp2
    [2.3.3-RELEASE][admin@pfsens2.tnwebhost.com]/root:

    Rules (Drag to Change Order)
    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0 /0 B
    IPv4 IGMP VLAN105TEST address * VLAN105TEST net * * none  
    0 /0 B
    IPv4 ICMP VLAN105TEST net * VLAN105TEST address * * none

    interface FastEthernet0/35
    switchport access vlan 105
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></performnud,auto_linklocal></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol ></broadcast,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magi ></up,broadcast,running,simplex,multicast>



  • A note:

    The information I provided for the switch port (item #4) is now a Cisco 3500XL. Thanks


  • Rebel Alliance Global Moderator

    interface FastEthernet0/35
    switchport access vlan 105
    switchport trunk encapsulation dot1q
    switchport mode trunk

    That config is wrong - your saying its both an access port and a trunk port..


  • Galactic Empire

    @johnpoz:

    interface FastEthernet0/35
    switchport access vlan 105
    switchport trunk encapsulation dot1q
    switchport mode trunk

    That config is wrong - your saying its both an access port and a trunk port..

    I've seen that before, when the port is set to a trunk using "switchport mode trunk" it will disregard the "switchport access vlan 105"

    IMO you should either default the interface using the following when in config mode default interface f0/35 and redo your config.

    Or erase the startup file to default the switch to out of box using the erase startup command and delete the van.dat file using delete flash:/vlan.dat

    You can also default the config by keeping the mode button pressed on the bottom left and waiting for 30 secs.


  • Rebel Alliance Global Moderator

    I have seen it lots of times as well - its borked!  Port is not going to work how they want with such a config.



  • Not sure why it was there but I removed the access switch port part:

    Current configuration:
    !
    interface FastEthernet0/35
    switchport trunk encapsulation dot1q
    switchport mode trunk
    end

    Still no luck!


  • Rebel Alliance Global Moderator

    Ok so a client in this vlan on some other Access port.. Can it ping pfsense IP on the vlan interface?

    fxp2_vlan105: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=3 <rxcsum,txcsum>ether 00:1a:8c:11:45:9e
            inet6 fe80::21a:8cff:fe11:459e%fxp2_vlan105 prefixlen 64 scopeid 0x9
            inet 192.168.5.12 netmask 0xffffff00 broadcast 192.168.5.255

    Looks to be 192.168.5.12, is your cllient on this vlan getting IP from dhcp from pfsense.  Do you see the mac address for 192.168.5.12 in your client after you try and ping?</rxcsum,txcsum></up,broadcast,running,simplex,multicast>



  • There is no DHCP and the static IP is assigned. Just to make sure the ports on the firewall and switch I assigned vlan 105 to the switch port access:

    Current configuration:
    !
    interface FastEthernet0/35
    switchport access vlan 105
    switchport trunk encapsulation dot1q
    end

    Also assigned the PFsense Interface with the original IP address and rules to the port directly (no vlan tagging) and below is a ping and arp from a client system that is also on vlan 105:

    [root@cache-relay1 ~]# ping 192.168.5.12
    PING 192.168.5.12 (192.168.5.12) 56(84) bytes of data.
    64 bytes from 192.168.5.12: icmp_seq=1 ttl=64 time=2.38 ms
    64 bytes from 192.168.5.12: icmp_seq=2 ttl=64 time=0.530 ms
    64 bytes from 192.168.5.12: icmp_seq=3 ttl=64 time=0.575 ms
    64 bytes from 192.168.5.12: icmp_seq=4 ttl=64 time=0.515 ms
    64 bytes from 192.168.5.12: icmp_seq=5 ttl=64 time=0.593 ms

    –- 192.168.5.12 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4004ms
    rtt min/avg/max/mdev = 0.515/0.919/2.385/0.734 ms
    [root@cache-relay1 ~]# arp
    Address                  HWtype  HWaddress          Flags Mask            Iface
    192.168.5.167            ether  5A:9C:CE:01:45:9B  C                    eth0
    192.168.5.251            ether  00:10:DB:08:81:C4  C                    eth0
    192.168.5.191            ether  82:15:47:DE:AE:20  C                    eth0
    192.168.5.12            ether  00:1A:8C:11:45:9E  C                    eth0
    192.168.5.165            ether  16:BE:65:AC:CF:3F  C                    eth0
    192.168.5.202            ether  76:DA:01:52:6C:60  C                    eth0
    192.168.5.168            ether  32:5D:F3:4C:47:33  C                    eth0

    This indicates that my firewall rule is fine as well as the port.


  • Netgate

    
    Rules (Drag to Change Order)
          States    Protocol    Source    Port    Destination    Port    Gateway    Queue    Schedule    Description    Actions
          0 /0 B
       IPv4 IGMP    VLAN105TEST address    *    VLAN105TEST net    *    *    none            
          0 /0 B
       IPv4 ICMP    VLAN105TEST net    *    VLAN105TEST address    *    *    none  
    
    

    That is pretty nonsensical.

    There are no outbound rules on interface tabs. They govern connections coming into the interface they are on.

    Note that one rule is ICMP and one is IGMP.

    For testing pings from the VLAN105 subnet all you need is that ICMP rule.

    Whatever problem you are having is in your switch. Anything on an access port set to VLAN 105 and numbered correctly on that subnet will be able to ping the pfSense interface.


  • Netgate

    !
    interface FastEthernet0/35
    switchport access vlan 105
    switchport trunk encapsulation dot1q
    end

    As has been said, get rid of the trunk config on your edge device (access, untagged) ports. There is zero reason for that to be there.