Yet another "No internet access from VLAN" problem

helgew

My pfSense appliance has 4 network ports and I am using one of them exclusively for VLAN traffic via a Netgear ProSAFE Level 2 switch. The pfSense port is connected to a port on the switch that is tagged for that VLAN and the ports connected to an ESXi host are also tagged. In ESXi, I have configured a network with the same VLAN id and added a virtual NIC to one of my VM guests. pfSense's firewall is configured to pass all traffic on the VLAN and the WAN interface has a NAT rule for the VLAN network. The guest can access any IPs on the VLAN and other internal subnets and I can access the VLAN IP from all other internal subnets. Alas, the guest cannot access the internet from the VLAN IP. I see repeated unanswered 'who-has' ARP requests on the pfSense side with tcpdump when trying to ping google.com:

[2.4.2-RELEASE][root@pfsense.example.com]/root: tcpdump -i em3.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em3.50, link-type EN10MB (Ethernet), capture size 262144 bytes
23:26:52.436730 IP guest.example.com.49303 > 10.0.5.1.domain: 31227+ A? dynamic&dynamic.example.com. (46)
23:26:54.312509 IP6 fe80::1:1 > ff02::1: ICMP6, router advertisement, length 56
23:26:54.344929 IP6 fe80::1:1 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:26:54.639004 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:26:55.340092 IP 10.0.5.1.domain > guest.example.com.49303: 31227 ServFail 0/0/0 (46)
23:26:55.340669 IP guest.example.com.60876 > 10.0.5.1.domain: 31227+ A? dynamic&dynamic.example.com. (46)
23:26:55.340801 IP 10.0.5.1.domain > guest.example.com.60876: 31227 ServFail 0/0/0 (46)
23:26:55.341173 IP guest.example.com.54948 > 10.0.5.1.domain: 55693+ A? dynamic&dynamic. (33)
23:26:55.341291 IP 10.0.5.1.domain > guest.example.com.54948: 55693 NXDomain 0/1/0 (108)
23:26:55.598151 IP6 fe80::1:1 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
23:26:55.641565 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:26:56.643700 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:26:57.453663 ARP, Request who-has 10.0.5.1 tell guest.example.com, length 46
23:26:57.453677 ARP, Reply 10.0.5.1 is-at 00:ec:ac:cd:e8:49 (oui Unknown), length 28
23:26:58.638640 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:26:59.641593 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:27:00.643478 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46
23:27:01.887953 IP6 fe80::1:1 > ff02::1: ICMP6, router advertisement, length 56
23:27:02.640505 ARP, Request who-has lax17s38-in-f14.1e100.net tell guest.example.com, length 46

Any help would be greatly appreciated.

johnpoz

You wouldn't arp for something unless you thought it was on your own network..