Strange VLAN icmp thing on hyper-v (only pfsense not replying)

nblazincic · Mar 3, 2020, 7:52 PM

Short disc: Pfsense not replying to icmp over vlan interface in hyper-v setup, only from VM's from other host

Environment:
2 Hyper-V host, directly connected (no switch)
One host (Host1) running pfsense with multiple VLANs, I have trunking configured on one virutal (hyper-v) interface. I have no issues on this host.

VM's from other host (Host2) can ping other VM's on same VLAN (no matter on which host they are), but are unable to ping pfsense itself (that is on Host1)

Funny thing is, I can see arp entries on both vm's and pfsense. I can also get IP address from pfsense. But no ICMP ping, no routing to/from other vlans or internet.
I triple checked my firewall setup, I tried to change VLANs, I tried pinging from other host. So any ping from other host to pfsense is a no go, but ping to other servers on same vlan/subnet works.
Aditionally, same thing is when I use native vlan (ie. I ping phyisical interface of psense (not tagged) from Host2. No ping, arp-s are populated, but can ping Host1 (also not on vlan)

Cant figure this out.

Thank you very much guys/girls.

Mar 4, 2020, 3:01 AM

Do you have spanning tree protocol enabled on (edit) the passthrough interfaces? Edit, sorry is late over here for me and a headache. The hyper v virtual switch as well before I edited it the first time

JKnott · Mar 4, 2020, 11:50 AM

@sparkyMcpenguin

Spanning tree has nothing to do with ICMP or ARP. In fact, it has nothing to do with IP. It's a layer 2 protocol for avoiding loops.

kiokoman · Mar 4, 2020, 12:10 PM

i can't help with hyper-v but maybe if you show us your firewall rules we can "quadruple" check if they are good

Mar 4, 2020, 2:42 PM

@JKnott I mentioned STP only because in my network environment with vlan traffic, I needed to leave it enabled on my physical switch otherwise I would eventually encounter.. loops.. it broke network connectivity until reenabling STP (I attribute this more to unifi controller software for the time being, considering renaming the alias of each port also completely borked the install. I just went through this 3 days ago

nblazincic · Mar 4, 2020, 12:28 PM

@kiokoman said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

i can't help with hyper-v but maybe if you show us your firewall rules we can "quadruple" check if they are good

login-to-view

kiokoman · Mar 4, 2020, 12:31 PM

well the first rule permit everything

nblazincic · Mar 4, 2020, 12:31 PM

@nblazincic First one should do it right ?
Don't know how dhcp is working but ping not.

kiokoman · Mar 4, 2020, 12:34 PM

maybe there is a solution here ? https://serverfault.com/questions/805167/hyper-v-cannot-ping-vm-from-host

Mar 4, 2020, 12:41 PM

@nblazincic said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

@nblazincic First one should do it right ?
Don't know how dhcp is working but ping not.

Is the virtual switch an"external switch"? Is the host OS passing vlan traffic? Is the host OS routing through the (if external) switch as well?

By host OS I also mean the hypervisor

Mar 4, 2020, 12:58 PM

@sparkyMcpenguin said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

@nblazincic said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

@nblazincic First one should do it right ?

By host OS I also mean the hypervisor

Sorry, referring to your (host2)

Mar 4, 2020, 1:04 PM

@nblazincic said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

@nblazincic First one should do it right ?
Don't know how dhcp is working but ping not.

Also by default, windows firewall blocks icmp. Check windows firewall settings (hyperv)

Mar 4, 2020, 1:47 PM

@nblazincic
on your host2 if ICMP is blocked by the host firewall (windows firewall hyperv - this specific case i do not experience personally because the windows clients on my network don't use windows firewall, but a third party av solution. with that solution, it completely disables windows firewall, allowing ICMP traffic, but blocking excessive ICMP or other things (bitdefender av with ips enabled)

from my experience and training with hyperv, more so with server2016, if that's the firewall on the hypervisor, you need to check ICMP settings on its firewall. your pfsense seems fine IMO

edit additional: hyperv is a type1 hypervisor, so once enabled even the host os is now a vm (just a tid bit probably not exactly helpful)

JKnott · Mar 4, 2020, 2:42 PM

@sparkyMcpenguin

You only need STP to prevent loops, as you experienced. Otherwise, it has absolutely no effect. It also has nothing to do with VLANs. Does the OP have any loops? Bottom line, it should be enabled, but I doubt it has anything to do with the problem. If loops were the issue, there would be a lot of traffic going around the loop and hogging the bandwidth.

nblazincic · Mar 4, 2020, 2:52 PM

@sparkyMcpenguin said in Strange VLAN icmp thing on hyper-v (only pfsense not replying):

@nblazincic
on your host2 if ICMP is blocked by the host firewall (windows firewall hyperv - this specific case i do not experience personally because the windows clients on my network don't use windows firewall, but a third party av solution. with that solution, it completely disables windows firewall, allowing ICMP traffic, but blocking excessive ICMP or other things (bitdefender av with ips enabled)

from my experience and training with hyperv, more so with server2016, if that's the firewall on the hypervisor, you need to check ICMP settings on its firewall. your pfsense seems fine IMO

edit additional: hyperv is a type1 hypervisor, so once enabled even the host os is now a vm (just a tid bit probably not exactly helpful)

Firewall is disabled, but host machine is treated the same way as VM. So no firewall rules on host2 can prevent vm from comunicatting. Host is pluged in VM switch as any other VM (simple setup, one vm-switch, host and vm's are using same switch).

Additionally, if I migrate VM from host1 to host2, that same VM also can not ping its gateway. Same thing happens on native VLAN.

What is intersting, if do a packet capture on pfsense interface, I dont even get packet to it, but DHCP services functions normally.

I already tried to recreate vswitch, remove host from networking. Will try to update host2 to see if that helps.

Mar 4, 2020, 2:57 PM

@nblazincic you also said "directly connected", I assume this to mean machine to machine, no switch.

You also said static, is it possibly a gateway IP configuration issue in the adapter settings for each machine? (I assume this is set up properly or not needed to be set up as well) just trying to rule out things not mentioned

Mar 4, 2020, 8:19 PM

i just saw this, maybe related?:

@kiokoman said in Allowing ICMP/Ping From WAN to Machine On LAN for Ptunnel:

i tested it and it work for me, what machine is it? windows?
if it's windows maybe you need to do this
https://forum.netgate.com/post/895254