VLAN pingable from pfSense but not Cisco Switch - 3750G???
-
Hi all,
Here is the current situation I hope I don't confuse anyone….
I have my pfSense box doing routing, vlans, dhcp, etc. I have a 3750G that I am using just to trunk traffic across and eventually for some PoE waps to be powered off of.
Now, I am setup like this, PFSENSE INTERNAL NIC TO CISCO PORT 1. PORT 2 FROM CISCO TO an unmanaged switch on the data lan.
I can ping any data lan IP from the cisco 3750g, from pfsense, or from any client on the unmanaged switch no problem. I have created a VLAN on the pfSense box, called VLAN 192, with an ip of 192.168.89.1/24 - From PFSENSE I can PING the interface, I can ping the vlan ip on pfsense from a pc on the data network just fine. But things get tricky when I try to ping the pfsense vlan ip from the Cisco switch. I can't.
I have trunk ports defined on both gig 1 and gig 2 which is passing traffic through the unmanaged switch and the pfsense local nic. I have ALLOWED VLANS 192 on the trunks (as well as data network vlan) I have tried native vlan tags... I have tried them as access ports... I have also tried doing ip route 0.0.0.0 0.0.0.0 to my PRIMARY PFSENSE router ip.
If anyone could chime in, with some tips I would greatly appreciate it! Sorry for being all over the place in my topic. I've had a long day playing with this. :)
Cheers...
The entire point of me even wanting to vlan is to segregate a isolated guest wireless vlan to my waps.
Thanks!
-
how exactly would you ping this from your cisco? Do you have a SVI (switch virtual interface) in that vlan 192? Do you allow for firewall rules and routing from your cisco management SVI IP to get to the IP of pfsense interface on that vlan?
-
how exactly would you ping this from your cisco? Do you have a SVI (switch virtual interface) in that vlan 192? Do you allow for firewall rules and routing from your cisco management SVI IP to get to the IP of pfsense interface on that vlan?
I wasn't aware I needed to assign an SVI to establish a pingable connection from the switch. I thought as long as my VLAN numbers matched on Cisco device & Pfsense device, I should be able to ping across, as long as the trunk ports are allowing those vlans to communicate through… Maybe I misunderstood?
This seems like a natural thing one would want to do... Have pfsense drive everything, but have a switch where devices would be able to communicate through. Is the SVI technology you speak of the best way for me to pass VLAN information to and from the cisco device from pfsense?
I appreciate your time!
-
ping across sure.. sounded like you wanted to ping from or to the switch.
if your wanting to ping from 1 vlan to another vlan.. The pfsense rules that that does the routing from vlan to another vlan would have to allow for icmp. And the device your pinging would have to answer the ping. If its running a software firewall for example it might not answer a ping from a different network, ie vlan.
if you want to ping from or to the switch then you would need an IP on that vlan, ie a SVI that has an IP in that vlan.
-
ping across sure.. sounded like you wanted to ping from or to the switch.
if your wanting to ping from 1 vlan to another vlan.. The pfsense rules that that does the routing from vlan to another vlan would have to allow for icmp. And the device your pinging would have to answer the ping. If its running a software firewall for example it might not answer a ping from a different network, ie vlan.
if you want to ping from or to the switch then you would need an IP on that vlan, ie a SVI that has an IP in that vlan.
Hi John,
Yes, I misunderstood. I am trying to ping to or from the switch. IE: ping the vlan 192 interface of the switch from my local PC. (192.168.89.10) in this case… I can ping the gateway (on pfsense from my pc) but not the vlan interface on the switch. See config below:
Vap3-3750G-01-PoE#sh run int vlan 192
Building configuration...Current configuration : 65 bytes
!
interface Vlan192
ip address 192.168.89.10 255.255.255.0
endVap3-3750G-01-PoE#
Vap3-3750G-01-PoE#
Vap3-3750G-01-PoE#sh run int gig 1/0/1
Building configuration...Current configuration : 203 bytes
!
interface GigabitEthernet1/0/1
description Connection to VMWare Onboard Data NIC
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,192
switchport mode trunk
speed 1000
endVap3-3750G-01-PoE#sh run int gig 1/0/2
Building configuration...Current configuration : 230 bytes
!
interface GigabitEthernet1/0/2
description Connection to Netgear (8port) Switch
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,192
switchport mode trunk
speed 1000
endVap3-3750G-01-PoE#
ALSO
Here is my configuration within pfsense:
https://flic.kr/p/SShJGs
https://flic.kr/p/SShJHj
-
Apologies. Here is the LAN rules…
https://flic.kr/p/SG8gB9
-
And where is your switches gateway or routes that allow it to get off that vlan? For you to ping that IP from a different network, the switch needs to know to send the reply to a gateway.
-
And where is your switches gateway or routes that allow it to get off that vlan? For you to ping that IP from a different network, the switch needs to know to send the reply to a gateway.
I have tried it with and without routes without success.
I have submitted the following:
ip route 0.0.0.0 0.0.0.0 10.254.1.1 (SHOULDNT THIS TELL THE SWITCH ANY IP ANY SUBNET REDIRECT TO 10.254.1.1?)
That route, didn't help anything. I can ping the int IP of management vlan 1, but not 192, which is the 192.168.89 network…
Very interesting.
-
And how would that work when its IP is not in that network..
Your gateway has to be in the same network as your IP.. So its IP is 192.168.89/24 What is pfsense IP in that network?? That would be your switches default gateway.
Why would your switch need multiple svi's for management?? If you say you can get to its IP you have on its vlan 1 to manage it.. Its IP in the 192.168.89 serves no purpose if its not going to do routing for that vlan..
