DHCP clients cannot ping firewall or beyond but static in same subnet can
-
We have a pfsense (2.4.5-p1) connected via a trunk to a cisco switch with vlan 621 being tagged to the firewall.
Have a server running ESXi connected to same switch and port is an access port in vlan 621. The server has an IP in the 192.168.3.x/24 range and it can ping firewall and internet fine.
The client created a DHCP range of 192.168.3.129 - 192.168.3.191 on the firewall and a VM running CentOS 7 on the ESXi server gets an IP and can ping any other physical server in the 192.168.3.x subnet but not the firewall (192.168.3.1) or the internet.
If I change the VM to use a static IP outside of the DHCP range eg. 192.168.3.200 then it all works ie. pings firewall and gets internet connectivity.
Does anyone have ideas as to what is going on as it has me stumped at the moment.
-
Update on testing.
The pfsense gets the right mac address of the VM even though it cannot ping it and the VM gets the right mac address of the LAN interface of the pfsense.
I have run tcpdump on the VM and when I ping from the pfSense there are not packets being received on the VM.
I added a rule to the firewall specifically for the VM IP and when I pinged the firewall the rule does get hits so it looks like it is the firewall that just does not send packets to the VM.
The same tests above with a static IP on the VM and I can see packets arriving at the VM (and the ping works).
It is as though the firewall does not know where to send the packets even though the IPs are within the LAN subnet or it is sending them somewhere else (there are OpenVPN servers configured but the remote subnets are not 192.168.3.0/24)
-
So it was a routing issue after all.
I checked the actual routing table on the pfSense (should have done this before) and there was a route for that range 192.168.3.128/26 via one of the OpenVPN servers.
Sorry if I wasted anyone's time.