[SOLVED] Unable To Reach Second pfSense Firewall On LAN



  • I'm in the process of overhauling my company's LAN+WAN setup to accommodate a HA/CARP setup using 2x XG-7100-1U routers. Initially we were unable to continue the setup process as when connecting the secondary firewall to the local network, an apparent switching loop would occur, taking down the entire local network. The only way to stop this loop would be to take the second firewall back down.

    Today we were able to solve the switching loop with some switch configurations to put the ports connecting directly to either of the two firewalls (XG-7100s) in "untagged" mode, and the switch ports that connect to other switch ports in "tagged" mode.

    After making these changes, we were able to power on the second firewall and not have the local network get taken down. At the moment we are unable to reach the second firewall's LAN IP address from the local network, making us unable to continue the setup process.

    Here is a diagram of the LAN switching configuration:

    kk.png

    So currently everything is running correctly and there's no switching loops, however we are unable to reach the second firewall's LAN port from the LAN, or even through a VPN.



  • @postables said in Unable To Reach Second pfSense Firewall On LAN:

    Today we were able to solve the switching loop with some switch configurations

    ???

    Do the switches not support spanning tree? If not, you have no business using them in a complex network.


  • LAYER 8 Global Moderator

    According to the spec sheet for a gs110tp it does

    IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
    IEEE 802.1s Multiple Spanning Trees Protocol (MSTP)

    Maybe they didn't have it enabled?

    But looks like they might have some downstream switches - is the drawing showing multiple connections to the upstream switches - maybe the downstream switches don't support stp? Maybe they are just dumb switches?

    The carp info is going to be multicast right - so maybe there is an issue with that? Depending on the switch configs, and the downstream switches, etc.

    I don't think those gs110 stack.. Stackable switches prob be a better solution I would think? Hard to tell without more details of the environment and needs and configurations, etc.



  • @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    maybe the downstream switches don't support stp? Maybe they are just dumb switches?

    If so, they shouldn't be used anywhere the potential for loops exists.


  • LAYER 8 Global Moderator

    Yup completely concur.. Sure shouldn't be running multiple links from that that is for damn sure.


  • Netgate Administrator

    How are the on-board switches in the XG-7100s configured?

    I assume that is a typo and the upstream ports are using ix0 and ix1 since ix2 is an internal port.

    Yeah, are those switches stacked?

    What VLANs are you using? It sounds like you just created separate layer 2 segments and that prevented the loop. But it would also disconnect the LAN from the firewalls unless those switches are layer 3.

    Steve

    I would think you are relying entirely on STP here to prevent loops with all the switches connected together.



  • @stephenw10 said in Unable To Reach Second pfSense Firewall On LAN:

    How are the on-board switches in the XG-7100s configured?

    I assume that is a typo and the upstream ports are using ix0 and ix1 since ix2 is an internal port.

    Yeah, are those switches stacked?

    What VLANs are you using? It sounds like you just created separate layer 2 segments and that prevented the loop. But it would also disconnect the LAN from the firewalls unless those switches are layer 3.

    Steve

    I would think you are relying entirely on STP here to prevent loops with all the switches connected together.

    I haven't done any special configurations to the on-board switches for the XG-7100s. No ix0+ix1 are being dedicated to pfSync usage, and I'm using the default VLAN for pfSense LANs.

    I'll take another crack at configuring STP, and replacing the two switches with ones that can do STP.

    @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    According to the spec sheet for a gs110tp it does

    IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
    IEEE 802.1s Multiple Spanning Trees Protocol (MSTP)

    Maybe they didn't have it enabled?

    But looks like they might have some downstream switches - is the drawing showing multiple connections to the upstream switches - maybe the downstream switches don't support stp? Maybe they are just dumb switches?

    The carp info is going to be multicast right - so maybe there is an issue with that? Depending on the switch configs, and the downstream switches, etc.

    I don't think those gs110 stack.. Stackable switches prob be a better solution I would think? Hard to tell without more details of the environment and needs and configurations, etc.

    I tried setting up RSTP on thenetgear-gs-110tp-[1-3] and that didn't seem to solve the switching loop that was happening on the LAN. The only thing that solved the issue was setting the switch ports on the gs110tp's that connected to the switch ports of the XG-7100-1U's.

    However as stephenw10 pointed out, I think what that did was just create different layer 2 segments.

    @JKnott said in Unable To Reach Second pfSense Firewall On LAN:

    @postables said in Unable To Reach Second pfSense Firewall On LAN:

    Today we were able to solve the switching loop with some switch configurations

    ???

    Do the switches not support spanning tree? If not, you have no business using them in a complex network.

    The netgear-gs-110tp-[1-3], so does the delta-cisco-2960s-1. I think netgear-0[1,2] do not support it.



  • @postables said in Unable To Reach Second pfSense Firewall On LAN:

    netgear-0[1,2] do not support it.

    Are there any loops with those switches?


  • Netgate Administrator

    Mmm, those probably are not a problem if they each only have a single connection to one of the GS110s.

    From your diagram it looks like you should have switch loops between both firewalls and the GS110s. Two loops on each side.

    Steve


  • LAYER 8 Global Moderator

    Yeah looks from his drawing to me that he has 2 lines coming up from those downstream.. You only need 1 loop and the whole thing can come down.. Especially with multiple carps - be a fair amount of multicast being sent out. And lots not forget the amount of broadcast and multicast even a single windows machine can put on the network..

    Loops are Very Bad! We had a customer were they would have these idiot users that use to plug the phone in twice.. You know how you can bridge say a pc off a phone.. Well they would have a phone in a conference room and some user would get the smart idea that may it needs both connections plugged in ;)

    Dumb switches really shouldn't be used in a work setup, other than maybe a few extra ports on some users desk because they are doing some special project or something.


  • LAYER 8 Netgate

    @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    Dumb switches really shouldn't be used in a work setup, other than maybe a few extra ports on some users desk because they are doing some special project or something.

    They still manage to create loops there.

    Or they kick out the plug and the help desk phone rings.

    LAYER 8



  • @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    Dumb switches really shouldn't be used in a work setup

    I have a Cisco unmanaged switch that supports spanning tree.


  • LAYER 8 Netgate

    Then I guess it's not a "dumb switch."



  • @Derelict said in Unable To Reach Second pfSense Firewall On LAN:

    Then I guess it's not a "dumb switch."

    It's certainly not managed. There's nothing to configure on it. Spanning tree is always on.


  • LAYER 8 Global Moderator

    And what is the make and model of this switch? spanning tree without the ability to "configure" it not all that useful.

    I just looked at specs for old sd2005 model and their 110 line - I don't see any spanning tree in the spec sheets.



  • @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    And what is the make and model of this switch? spanning tree without the ability to "configure" it not all that useful.

    Geez. You made me go digging through my junk closet. Almost needed an archaeologist. 😉

    It appears I was thinking of another switch. This one is a Cisco SD216.


  • LAYER 8 Global Moderator

    @JKnott said in Unable To Reach Second pfSense Firewall On LAN:

    SD216.

    That doesn't show any stp support per the spec sheets I can find.



  • @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    That doesn't show any stp support per the spec sheets I can find.

    As I said in my previous post, I must have been thinking of another switch.


  • LAYER 8 Global Moderator

    oh will that makes more sense - some smart/managed switch ;)



  • @johnpoz said in Unable To Reach Second pfSense Firewall On LAN:

    spanning tree without the ability to "configure" it not all that useful.

    Actually it is, for it's intended purpose of preventing loops. Spanning tree goes all the way back to 1985, which predates switches. Back then, bridges were used to extend coax based networks. There's not much that needs to be configured for basic spanning tree operation. Of course, with the managed switches used these days, things like priority and VLANs have to be configured, but those aren't necessary for a basic LAN.


  • LAYER 8 Global Moderator

    We are talking modern networks ;)

    So normally in a network where you would be using spanning tree - you would for sure want to be able to configure who the root bridge is, and yup priority, etc. etc..

    So back to the OP network - if your going to be doing stuff where you need to leverage spanning tree to prevent loops... Then you need to make sure only smart/managed switches that support your level of spanning tree be it old school plain jane stp, or rstp or mstp or some proprietary stuff like pvst or vstp, etc. etc.. Or maybe you use SPB...

    The thing is as a lan grows, quite often these sorts of design considerations are normally quite often overlooked until a problem presents itself. And hopefully the company brings in someone to help, or the staff actually knows how to do it or are fast learners ;) And just forgot about it because the lan grew organically and was never an issue, etc.

    Pretty much every company have ever worked with the stp was either nonexistent or just whatever the switches default too.. And they have no idea why some switch in some odd ball closet somewhere in there ever growing lan is the root bridge ;)



  • @johnpoz

    I have also seen LANs where VLANs weren't properly configured. As for the root switch, that's the only one that has to be configured for priority, unless you like reading MAC addresses, to find the lowest one.


  • Netgate Administrator

    Let's agree correctly configured STP is a good thing and try and help the OP get things working shall we? 😉

    Steve


  • LAYER 8 Global Moderator

    The horror stories are endless to be honest ;) Its some time amazing as you walk into a nice looking raised floor setup with nice hardware for everything... But come to find out when you look into things that stuff is just plugged in and nice cable management.. Nobody did anything when came to consideration of network actually be used to its full potential..

    All concerned about failures - but then they have no redundancy, yeah that fancy $4k switch you got there but you forgo the 2nd power supply to save $200 bucks.. And sure you stack the switch nice, but hey your servers that you so worried about loss of connection that they have multiples, but are plugged into the same switch in the stack, and even the same port group on the same switch, etc..

    edit: Just waiting on the OP.. There are no actual details to work with ;)



  • Will report back tonight with how the STP setup goes. Literally just finished replacing the unamanaged switches with managed ones and redid our cable wraps before I posted this. It definitely seems like it's an STP issue.

    In the mean time I'm not sure if this is an additional symptom of the misconfigured switching network, or if this is due to an incorrect routing entry between both firewalls, which is making me unable to access both firewall webgui's at the same time remotely, but I can do it locally:

    I have both pfsense firewalls installed, replicating xmlrpc and states between the two. Currently the ETH2 (LAN) port of the second firewall is connecting to the ETH6 (LAN) port of the first firewall. When I'm directly connected to the LAN via a switch, I can access the webgui for both the first, and second firewall.

    However when I'm connected via VPN, I can only access the webgui for the firewall that I'm connected to via VPN. So if I open a VPN connection to the first firewall, I can access the webgui for the first firewall, but not the second. When I open a VPN connection to the second firewall, I can access the webgui for the second firewall, but not the first.


  • LAYER 8 Netgate

    As far as I know, putting STP through the XG7100 (or any other non-STP switch) should work as long as there are enough STP-capable switches so enough ports are blocked to prevent loops. As long as you don't have a loop with non-STP switches it should be fine.

    I have never set that up, however.



  • Another update: STP switching configs in place in all but the cisco switch since I'm a dumbass and forgot the credentials. Will be connecting the second firewall back to the switching network Monday and actually enabling the CARP setup, so hopefully the switching loop is resolved when I connect the second firewall back to the network. Thanks for the help so far all.

    @Derelict said in Unable To Reach Second pfSense Firewall On LAN:

    As far as I know, putting STP through the XG7100 (or any other non-STP switch) should work as long as there are enough STP-capable switches so enough ports are blocked to prevent loops. As long as you don't have a loop with non-STP switches it should be fine.

    I have never set that up, however.

    From my old networking days that sounds correct, but I as well haven't entirely tested that. Although I guess technically right now I am "testing it" given that 5/6 switches have STP configs, and 1 doesn't. Granted I haven't connected the second firewall back to the switching network, so there's no loops right now to test with.


  • Netgate Administrator

    Can you confirm if those double lines in your diagram indicate more than one link between the GS110s and the downstream switches connected to them?

    Are those other switches connected to each other at all?

    I would expect to need STP only on the GS110s unless there are other connections not shown there.

    It should not make any difference connecting the secondary if the loop is downstream anyway.

    Steve


  • LAYER 8 Netgate

    @postables said in Unable To Reach Second pfSense Firewall On LAN:

    I haven't connected the second firewall back to the switching network, so there's no loops right now to test with.

    HA pairs will not create loops unless you make bridges, which puts you on the hook for making that spanning tree work right too and is generally unsupported.



  • Okay update, I've connected the second firewall back to the switching network. For whatever reason when I'm connected remotely to the network through an OpenVPN connection to the first firewall, I'm unable to access the webgui for the second firewall, however when I'm connected to the network locally via an ethernet connection, I can talk to the webgui 🤔

    @stephenw10 No they're just one line each. Each of the GS110's connect to a downstream switch.


  • LAYER 8 Netgate

    That is completely normal since the secondary has no route back to the connecting client since the VPN is running on the primary.

    Workaround:

    https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html



  • @Derelict said in Unable To Reach Second pfSense Firewall On LAN:

    That is completely normal since the secondary has no route back to the connecting client since the VPN is running on the primary.

    Workaround:

    https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

    Ah okay that's good to know, I was afraid I had misconfigured something. I can successfully connect to services on our network from exposed ports on the WAN IP of the second firewall. I guess the only thing left to do now is properly configure HA. Thanks all!


Log in to reply