No routing between different subnets xxx.xxx.12.xxx <-> xxx.xxx.122.xxx
-
Hi Colleagues,
I am experiencing a bit of an issue and cannot find the reason for this behavior,
hence, asking for suggestions where to look at and what to check.The situation:
Local network has multiple subnets, they are separated by VLANs (physically it is one network)
Local devices (which are connected via cable) – resign in one network – LAN, no VLAN is assigned to it.
Example: IP addresses for the LAN is xxx.xxx.12.xxx / 255.255.255.0All other devices are mobile and connected via multiple access points (connected into one access group).
Access points channel the traffic to the router using VLANs (multiple VLANs - one per user group).
Each group has dedicated VLAN number.
Example: IP addresses for the LAN is xxx.xxx.122.xxx / 255.255.255.0 / VLAN 122There is a problem.
One mobile device needs to be connected to the local, connected via the cable server (server is in the xxx.xxx.12.xxx network with no VLAN), when the mobile device is in the LAN is xxx.xxx.122.xxx / VLAN 122.Whatever I set-up on the router: the device cannot ping that server.
In the same time – there is no message on the router that packages towards that server are dropped.In the same time: mobile device can ping router IP addresses for LAN xxx.xxx.12.1 and for own VLAN xxx.xxx.122.1 (technically it is the same physical interface.
Flags on the interfaces "Block private networks and loopback addresses" / "Block bogon networks" - are not set.
Another detail: the access to the internet is also channeled (via another router, which does nothing else then just channels the traffic in NAT mode), but still that "external router" is in the LAN xxx.xxx.20.xxx / 255.255.255.0
What could be the reason? Could it be the VLAN related issue?
Or could it be, that the router does not rout traffic between different subnets xxx.xxx.12.xxx <-> xxx.xxx.122.xxx – if this might be the case, what could be a solution? -
@androgen
can x.x.12.1 ping 12.143 ? does that server have his own firewall blocking ping maybe?
x.x.12.1 is pfsense ? do you have a firewall rules that permit icmp from vlan122 to lan ? -
.122.1 and .12.1 - it is the same physical port, and yes, it is pfsence. Sorry for not being specific here.
.122.1 - belongs to VLAN 122, where .12.1 doe not belong to any VLAN.
There is a rule on the pfsence: 122Lan traffic for all protocols is allowed to reach .12.x network
no, .122.1 cannot ping .12.143 (ping dialog from the pfsence)
in the same time ping from .122.1 to .12.1 (ping dialog from the pfsence)
from .12.1 (ping dialog from the pfsence) ping to .12.143 works -
@androgen
is 12.143 a windows server? does it have its own firewall blocking ping from a different networks?
is the gateway 12.1 for this 12.143 server?
the networks are both directly attached to pfsense so it can only be a firewall rule or an acl on the switch or a wrong gateway
maybe post a screenshot of all the firewall rules, maybe also check floating rule if you have any.
try a packet capture to see where the ping/answer are going -
@kiokoman said in No routing between different subnets xxx.xxx.12.xxx <-> xxx.xxx.122.xxx:
the networks are both directly attached to pfsense so it can only be a firewall rule or an acl on the switch or a wrong gateway
Or trunking not set up correctly on the switch.
Do a packet capture on pfSense using the vlan interface you're trying to do the ping from as the source interface, filter on ICMP and add the destination IP address in the Host Address field.
Do you see packets hitting the interface ?
-
This post is deleted! -
an updated diagram to add more required details
The server is a TrueNAS. It can be pinged from xxx.xxx.12.xxx network.
I've just tested, there is no possibility to ping .122.1 from the TrueNAS, when ping from .12.1 to .122.1 (via pfsense Web UI) is possible.To check that it is not the switch - I have replaced the managed switch, which is on the server side by simple the unmanageable switch - all stays the same - no ping, no connection.
I have managed to make it "working", but this is not what I think is the right solution, as I simply bypassed pfsense router in this case, and believe this is a workaround, but not a solution.
The workaround is: the VLAN had to be activated on the TrueNAS, and in the same subnet xxx.xxx.122.155 - then the connection is established,
It looks like the pfsense does not rout the traffic between VLAN and LAN, even there is no any rule (or setting I am aware of), which prevents this connection.
Any idea where I should look at?
My understanding: even LAN and VLAN subnets are in the 10.xxx.xxx.xxx range(s) - pfsense still should route the traffic properly, even when LAN and VLAN are on the same physical interface.
Do I miss something? -
@androgen said in No routing between different subnets xxx.xxx.12.xxx <-> xxx.xxx.122.xxx:
It looks like the pfsense does not rout the traffic between VLAN and LAN
That actually is not even possible. If pfsense has interface in a network, then it has a route to talk to that network. If pfsense has interfaces in multiple networks - then it out of the box knows how to route between these networks.
The only way you would not see that happening, is if you on an interface forced traffic out a gateway (say vpn or wan) then even though it knows how to talk to these networks - you are forcing traffic out a gateway that can not get to the destination network.
Post up the rules you have on these interface.
If device in vlan X can ping pfsense vlan X IP, and it can ping vlan Y IP.. But not some device in vlan Y then is pretty much screams device in vlan Y has firewall blocking traffic from vlan X. Or its not pointing back to pfsense vlan X IP as its gateway.
Routing traffic between vlans works out of the box, with nothing extra required. If not working you either have your firewall rules wrong. Or have dicked up the config in some other way like forcing traffic out a gateway. Doesn't matter if the interfaces are native or vlans..
-
@johnpoz
yep, This is what I was also thinking about.
I have captured some (ping) packets on .122.x and on .12.x "sides" as suggested by @NogBadTheBad
Yep, the ping goes through the pfsense. This has been proven by captured packages.
The Source and Destination MAC addressed in captured packages indicate that it is though the pfsence and should go towards the TrueNAS server.
The packets on the LAN side .12.1 has TrueNAS MAC as a destination.
However, what was not obvious - what information related to the VLAN was in that packages.
It looks lie pfsense stiped the VLAN related information out.
Is there anyway to capture on pfsence with VLAN information?
Why TrueNAS does not react on ping from other VLANs? The only think coming to the mind is a VLAN tags in the package.
Switch should not be a reason as I have tested with unmanaged one and there was no ping neither.
Any idea where to look next?"Or have dicked up the config in some other way like forcing traffic out a gateway. Doesn't matter if the interfaces are native or vlans.."
Could you suggest what to check? I did no really do anything with gateways.
when it comes to the routing rules - I have disables almost any to be sure nothing is interference the test. and as mentioned above, the ping seems to be going through... just does not go in the "right way" (guessing). -
Pfsense would not strip tags..
You can view tags in the capture by doing a sniff on the parent interface with tcpdump and using the -e flag
You will then see this for something that has tag on it.
ethertype 802.1Q (0x8100), length 58: vlan 4, p 0, ethertype IPv4