Inter VLAN routing

johnpoz

Does the printer even have a gateway set... Have seen this too many times to count there the printer does not have gateway set so you can only talk to it from the same network.

mke

Yes it does have properly gateway, it was manually changed with IP and subnet.
In my case it is carp IP gw 10.103.0.3 .1 is master .2 is slave

johnpoz

Then I suggest you sniff... This is not any difficult here.. You connect a vlan, you allow it from the other vlan it works.. Sniff sure the ping is being sent/seen on pfsense ingress interface, and validate it going out the egress interface towards the printer. Maybe someone F'd up the mask on the printer or typo's the gateway.

Derelict

Diagnostics > Ping Set the source interface to the other VLAN. Ping the printer. PCAP on the printer VLAN.

Pretty much guarantee that you will see the requests going out and no reply so you will need to look at the printer configuration.

mke

Ping test

Result

14:35:44.331343 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 0, length 64
14:35:44.331427 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 0, length 64
14:35:45.334231 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 1, length 64
14:35:45.334294 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 1, length 64
14:35:46.334539 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 2, length 64
14:35:46.334604 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 2, length 64
14:35:47.338676 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 3, length 64
14:35:47.338740 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 3, length 64
14:35:48.338985 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 4, length 64
14:35:48.339051 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 4, length 64
14:35:49.343685 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 5, length 64
14:35:49.343749 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 5, length 64
14:35:50.344756 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 6, length 64
14:35:50.344820 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 6, length 64
14:35:51.350321 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 7, length 64
14:35:51.350390 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 7, length 64
14:35:52.352486 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 8, length 64
14:35:52.352550 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 8, length 64
14:35:53.355214 IP 10.203.0.1 > 10.103.0.11: ICMP echo request, id 17098, seq 9, length 64
14:35:53.355276 IP 10.103.0.11 > 10.203.0.1: ICMP echo reply, id 17098, seq 9, length 64

johnpoz

So great - are you sure your client you were pinging from pings actually got to pfsense?

mke

yes

mke

That is what is happening when the real client pings printer while I capture vlan 103 and printer IP 10.103.0.11

14:55:21.548856 IP 10.103.0.11.5353 > 224.0.0.251.5353: UDP, length 184

johnpoz

that is NOT a ping.. that is a mdns query to the multicast address.

Pfsense not going to do shit with that.. Unless you had avahi installed and configured.

mke

Ok my bad it works, if you look up last screenshoot you will know what I screwed up