Ping to PFSense Not Working From Cisco 3750 Switch



  • Hello,

    In my lab environment I have a pfSense firewall which has a Cisco 3750 switch sat behind it connected via a routed link. The IP of the LAN interface is 172.34.1.1/24 and the IP of the switchport is 172.24.1.2. There are 3 VLANS sat behind this and all the SVIs are in place and configured correctly.

    There appears to be an issue with the 3750 in that:

    I can ping from the pfsense from 172.34.1.1 to 172.34.1.2 successfully.

    However, when I attempt to ping from 172.34.1.2 to 174.34.1.1 this doesn't work. It seems that the ping only works one way (from the firewall to the switch).

    I can ping from the pfsense to the VLAN SVIs and beyond, and I can ping from the switch to the pfsense if I specify the VLAN SVIs as the source of the pings. If I specify the routed port 174.34.1.2 as the source of the pings - this fails.

    Hope this makes sense.Anybody any ideas?



  • In my lab environment I have a pfSense firewall which has a Cisco 3750 switch sat behind it connected via a routed link. The IP of the LAN interface is 172.34.1.1/24 and the IP of the switchport is 172.24.1.2. There are 3 VLANS sat behind this and all the SVIs are in place and configured correctly.

    Routed?  VLAN?

    VLANs are on layer 2, not 3, which means they are never routed.  You'd need to set up a tunnel, capable of carrying Ethernet frames, for VLANs to be carried over IP, which can then, in turn, be routed.



  • That is correct VLANs are at Layer 2. The SVIs (Switched Virtual Interfaces (logical L3 interfaces)) are in place to facilitate the intervlan routing. This all works correctly. The connection from the switch to the pfsense isn't configured as a transit VLAN - it is a routed link created using a routed port (no switchport) on the 3750.

    What I'm saying is:

    The SVIs, default route on the switch and routes on the pfsense are all set up correctly as I can ping/browse from a host on any of the VLANS to a host on the internet which indicates that the mechanics are in place.

    What I cannot do is ping from the switch itself to the pfsense and beyond when the source interface of the pings is the egress port on the switch (the egress port being the routed/172.34.2 interface). Everything else works.

    Hope this is a little clearer.