[SOLVED] Problem Vlan Trunk with cisco switch
-
HI, i have a problem and cannot ping to pfsense correctly : Here is the network :
pfsense
|
|
| g0/0
Switch
g0/1/ \ g0/2
/
/
PC end routerthe PC has as ip addr: 10.4.10.2, sub network 10.4.10.0/24, def gateway : 10.4.10.1
the end router has as ip add: 10.4.20.2 sub network 10.4.20.0/24, def gateway 10.4.20.1 (with ip route 0.0.0.0 0.0.0.0)the switch configuration : vlan 10,20,100
g0/0 mode trunk with encapsulation dot1Q and native vlan 100 allowing all vlans
g0/1 mode access with vlan 10
g0/2 mode access with vlan 20in pfsense :
the interface is setup as enabled with no ip
the vlans are created from this parent interface (10,20, and 100)
the sub interfaces are names opt3, opt4 and opt5 (for vlan 10,20, and 100) with the addresses : 10.4.10.1 (/24), 10.4.20.1 (/24), and no address, and all three interfaces are enabledThe rules of all four interfaces (the parent and the 3 sub interfaces) : one rule set to allow from any to any using any protocol ipv4+ipv6
When changing pfsense with a router, and setting the interface as : no shut, and the 2 subinterfaces fa0/0.X0 (with X=1 or 2), encapsulation dot1Q X0(X=1 or 2), and the ip addr 10.4.X0.1/24 (X=1 or 2), the ping works from anywhere to anywhere
i use vmware workstation 14 to emulate pfsense 2.4.2-RELEASE with 1 custom normal vmnet adapter, and use gns3 for the cisco switches and routers
when i dont use vlans, and one normal interface, and use a switch with the 3 ports (vlan 1) in access mode the ping goes throught
please help me, and thanks in advance
 -
I'm a bit confused about something
g0/0 mode trunk with encapsulation dot1Q and native vlan 100 allowing all vlans
the interface is setup as enabled with no ip
the vlans are created from this parent interface (10,20, and 100)While a VLAN can be configured as native on an interface, that VLAN will not be tagged, since it's carried as native. This means that when it gets to pfSense, it will appear as native, rather than VLAN 100.
Since this is a managed switch, configure a mirror port so that you can use Wireshark to see exactly what's on the wire going to pfSense. I expect you'll find traffic you think is on VLAN 100 is in fact on native LAN, where pfSense doesn't have an address.
-
Here i switched i let the vlan 1 be the native vlan (i just want it to work, but still not working)
the interface which is setup as enabled with no ip is the parent interface in pfsense (i fould out that i should do that, but i dont know, in a router the parent interface not shut is enough)
the vlans created from the parent interface (in pfsense) are vlan 10, vlan 20, and vlan 1 (vlan 1 should i create it not ? either way not working),
the subinterfaces created from vlan 10, 20 are given the static ip addresses 10.4.10.1 mask /24 and 10.4.20.1 mask /24
if i create vlan 1 in pfsense, should i create a subinterface from vlan 1 or not ?
in the mac address table of the switch i have only :
-mac address of pfsense interface with VLAN 1
-mac address of PC1 interface with VLAN 10
-mac address of end router interface with VLAN 20with the router i get two more :
-mac address of router interface with VLAN 10
-mac address of router interface with VLAN 20
and of course in place of mac address of pfsense interface with VLAN 1, i get the mac address of the router interface with VLAN 1 -
If you're using native LAN between the switch & pfSense, you will need an address on the native LAN in pfSense. Or don't make VLAN 100 native on the connection. Your choice.
As I said, use Wireshark, so that you can see exactly what's happening. PfSense does have Packet Capture, but I find Wireshark is much more useful.
-
i have set up an interface for the vlan 1 which is the native vlan with the ip add 10.4.30.1/24 in pfsense
when i use wireshark start capture in the link between pfsense and the switch and then try a ping to the pfsense subinterface 10.4.10.1 with the pc (10.4.10.2) i get nothing and also when i use the same thing with the router even the ping get through i see no wireshark packet it might not be working
The différence in the mac address tables that i said in the previous post might help… i dont know
-
If you're seeing nothing on the link to pfSense, then your problem is within the switch. If it was configured properly, you should see the ping encapsulated in a VLAN tagged frame.
-
i think my wireshark doesnt work properly because even when i change pfsense with the configured router the ping works but still nothing when trying to get packet capture with wireshark
in pfsense with packet log when i ping i can only see an arp request and an arp response that's all
-
i think my wireshark doesnt work properly because even when i change pfsense with the configured router the ping works but still nothing when trying to get packet capture with wireshark
in pfsense with packet log when i ping i can only see an arp request and an arp response that's all
Have you set up a mirror port on the switch? A mirror port is one that copies traffic from another. This is the only way a switch can be used to monitor traffic. A while ago, I bought a small, cheap managed switch, to be used just for this purpose. You connect a computer running Wireshark to the mirror port. You can use Packet Capture, in pfSense, but it's limited in what it can do and it's often necessary to download the capture and read it with Wireshark.
As for arp, all that does is map an IP address to the MAC address. What IP address does it show? Is it one you expect?
-
PfSense does have Packet Capture, but I find Wireshark is much more useful.
Just want to mention that it is possible to use tcpdump from the shell with '-e' to see VLAN tags.
Agree that mirror port gives some benefits, but for quick check on pfSense trunk port tcpdump will do the job perfectly. Just my 2¢. -
One nice feature of Wireshark is you can use both capture and display filters.
-
I FINALLY MANAGED to make wireshark work (update, change npcap with winpcap, update gns3…)
here is the capture attached between the switch and pfsense, i really dont get why i didnt get any problem when using a normal router
i m really stuck...
whenever something is related to a vlan interface in pfsense that doesnt work for me : the parent interface is correctly enabled with no ip, the vlan interface is set with correct ip and mask, the link is correctly set, the firewall rules in the parent and vlan interfaces are set to allow anything
is the VTP domain the problem ? i have also set VTP mode to transparent
[Between pfsense and switch.pcapng](/public/imported_attachments/1/Between pfsense and switch.pcapng)
[between switch and end router.pcapng](/public/imported_attachments/1/between switch and end router.pcapng) -
I've just looked at the switch - pfsense capture. All I see is arp requests, on VLAN 20, from 10.4.20.2 to 10.4.20.1, but no replies along with some CDP (irrelevant) and LOOP. What is the LOOP doing there? If you run Packet Capture on opt4 (VLAN 20), do you see the arp requests from 10.4.20.2? Do you see them on any interface? Also, according to your diagram, the PC traffic should be on VLAN 10 between the switch and pfSense. Why are those arp requests on VLAN 20?
On switch - router, I see those arp requests from 10.4.20.2 on native LAN. What are they doing there? I thought traffic to the router should be on VLAN 20 at that point.
It looks like you haven't got the switch configured properly.
-
i just want to make work one of them so i put the start capture between pfsense and switch, then switch and end router which is the end device showed at the bottom right.
i dont know why the loop is there
the interface of the router is on vlan 20, the one with the pc is on vlan 10.
as for the int giga 0/1 connected to the router is correctly configured : switchport mode access, and switchport access vlan 20
for the giga 0/0 connected to pfsense : switchport mode trunk, switchport trunk encapsulation dot1q
-
the interface of the router is on vlan 20, the one with the pc is on vlan 10.
Yet the capture shows the arp request on VLAN 20. That tells me the port you think is on VLAN 10 is actually on 20.
as for the int giga 0/1 connected to the router is correctly configured : switchport mode access, and switchport access vlan 20
Then why does the arp request for 10.4.20.1 appear on the native LAN going to the router? Isn't that a different subnet from the PC? Arp is a broadcast and routers don't normally pass broadcasts.
If I'm not mistaken, the PC is on 10.4.10.0 /24 & VLAN 10 between the switch and pfsense. The router is on 10.4.20.0 /24 and on VLAN 20 between the switch & pfsense.
Since those are separate subnets, packets from the PC should not appear at the router, unless forwarded by pfSense. Yet, the PC pfSense link shows arp from the PC on VLAN20 to pfSense and then appearing on the router native LAN, with the same MAC address. This proves that you've got both switch ports on the same VLAN. Even with routed packets, the MAC address should contain the MAC from the pfSense interface. Arp packets shouldn't make it between the 2 VLANs at all.
-
I assure you that :
int giga 0/1 (connected to pc) is switchport mode access vlan 10
int giga 0/2 (connected to end router) is switchport mode access vlan 20i see that its normally done when i do a sho int status
and int giga 0/0 (connected to pfsense) is trunk with encapsulation dot1Q
i changed the switch with a new switch with another config type and everything, configured it, and made it work with router (in the place of pfsense), then tried with pfsense, still not working
router
|
switch
/
PC end routerthis is working, but with pfsense its not :
pfsense
|
switch
/
PC end routerhere i attached the new wireshark files, this time i see the icmp going in vlan 20 to the pfsense, then the problem is in pfsense i think… (no response)
i see there no arp
-
Just so you know the pc is not started, i work with the router, because if it works for the end router in vlan 20, it will work for the pc.
[Between pfsense and new switch.pcapng](/public/imported_attachments/1/Between pfsense and new switch.pcapng)
[between end router (bottom right) and new switch.pcapng](/public/imported_attachments/1/between end router (bottom right) and new switch.pcapng) -
Just so you know the pc is not started, i work with the router, because if it works for the end router in vlan 20, it will work for the pc.
Then where is that arp request coming from? If you want help, you need to accurately describe the network. We can't just assume what you think is correct.
-
the arps are coming from the end router look at the ip adresses it's 10.4.20.1(int VLAN20) and 10.4.20.2(end router) it's you who is confused where do you see an arp coming from the pc
in the mac addr table in this new switch with pfsense, i dont have mac addr from the pfsense int with any vlan, just the one with the router
-
Do i need a static route from pfsense to switch ??? the switch is only a layer 2 switch, it cannot manage to make it work ???
-
when trying to ping from pfsense, there are no arp replies : the router doesnt reply to pfsense ! and this reply is shown on the other side !
My guess is that the switch doesnt let throught this arp, even his mac address is not showing pfsense mac address interface
OK WHEN activating ip cef command in the switch those arp begin to pass ! now, i get only vlan 1 behind the mac address of pfsense, still no vlan 10 or 20 even thought the ping starts from the end router and the port connected to it is in vlan 20
OK i added statically the mac address in the switch, and the arp entry in the end router, the ping request goes throught, the ping response stops at the switch, AND ALSO THE PING REQUEST IS TAGGED VLAN 20 but the ping response is not tagged !!