Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I can ping between two hosts from different VLANs

    Scheduled Pinned Locked Moved Firewalling
    16 Posts 4 Posters 1.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dansci
      last edited by

      Hi, I have several VLANs created. I'm testing step by step the settings and I noticed that I can't connect from one host in VLAN 50 (192.168.50.4) to another host in VLAN 10 (192.168.10.6). But already, for example, there is no problem to send a ping from that host in VLAN 50 to another host in VLAN 10 (e.g. 192.168.10.3). There is also no problem to send a ping from this host 192.168.10.3 to 192.168.10.6.

      On the switch side (Mikrotik) 802.1x is configured and on pfSense I have freeRADIUS which assigns VLANs to hosts based on certificates.

      My rules for VLAN 50 look like the following. The one at the top is my act of desperation, which so far doesn't help either.

      Please help. I don't know how to troubleshoot it.

      908e7fb3-50e5-4ff3-a977-e381dd9b0e3c-obraz.png

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB Offline
        Bob.Dig LAYER 8 @dansci
        last edited by Bob.Dig

        @dansci Maybe kill the states before further testing or it is a host-firewall problem or the switch or you have rules on floating or created groups with other rules.

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          dansci @Bob.Dig
          last edited by

          @bob-dig thanks for quick response

          • states cleaned - it didn't help

          • host firewall is not set

          • switch is not blocking anything

          • I don't have rules on floating

          • and I didn't created any group for other rules, everything for that interface is in that interface.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @dansci
            last edited by johnpoz

            @dansci did you check the mask on this host 10.6? If the mask is say /16 it would think that 50.4 is in its same network and would not send the response back to pfsense.

            I would sniff on your vlan10 interface while you have a constant ping to 10.6 from 50.4

            If you see pfsense send the ping on, and you get no response then something on that host, firewall, wrong mask, pfsense not its gateway, etc.

            You say you can ping other things in the 10 vlan from 50.. So that really screams something on that host you can't ping

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            D 1 Reply Last reply Reply Quote 1
            • D Offline
              dansci @johnpoz
              last edited by

              @johnpoz for now I sniffed with Packet Capture in the pfSense.
              Interface: VLAN10, IPv4 only, ICMP, host address: 192.168.10.6

              This is the result:

              13:45:51.487384 IP (tos 0x0, ttl 63, id 17827, offset 0, flags [DF], proto ICMP (1), length 84)
                  192.168.50.4 > 192.168.10.6: ICMP echo request, id 15540, seq 141, length 64
              13:45:52.511093 IP (tos 0x0, ttl 63, id 17866, offset 0, flags [DF], proto ICMP (1), length 84)
                  192.168.50.4 > 192.168.10.6: ICMP echo request, id 15540, seq 142, length 64
              13:45:53.512045 IP (tos 0x0, ttl 63, id 18049, offset 0, flags [DF], proto ICMP (1), length 84)
                  192.168.50.4 > 192.168.10.6: ICMP echo request, id 15540, seq 143, length 64
              13:45:54.526467 IP (tos 0x0, ttl 63, id 18282, offset 0, flags [DF], proto ICMP (1), length 84)
                  192.168.50.4 > 192.168.10.6: ICMP echo request, id 15540, seq 144, length 64
              13:45:55.550161 IP (tos 0x0, ttl 63, id 18308, offset 0, flags [DF], proto ICMP (1), length 84)
                  192.168.50.4 > 192.168.10.6: ICMP echo request, id 15540, seq 145, length 64
              

              So it seems that the host 10.6 is not answering.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @dansci
                last edited by

                @dansci said in I can ping between two hosts from different VLANs:

                So it seems that the host 10.6 is not answering.

                Exactly - that was pretty obvious from what you said was happening, but the sniff gives you validation that pfsense is sending on the traffic.

                I would check the mask on the 10.6 box, did you set that IP and mask by hand? This has come up a few times recently to be honest. If setting a static IP on the box to a /16 vs /24 would for sure give you the exact symptoms your seeing.

                If not then that - then firewall or security software on this 10.6 box is the most likely problem - if this box has working internet access through pfsense.

                But from the sniff you can see the ping is being sent to the 10.6 box - it just isn't answering.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                D 1 Reply Last reply Reply Quote 1
                • D Offline
                  dansci @johnpoz
                  last edited by

                  @johnpoz 10.6 downloads the configuration via DHCP. The mask is correct, 24.
                  I tried to run Wireshark on this 10.6, but for some reason after running packet capture it crashes and I can't manage it.

                  However, it turned out that this host has a non-stop VPN connection running to an external network. While in the previous configuration of my network, where both hosts were in one subnet (without VLAN) (50.4 and 10.6 were in 192.168.0.0/24) then there was no problem with connecting between them. Now that maybe this OpenVPN on 10.6 is causing 50.4 to not be able to get along with it. I need to verify that, but if that turns out to be the case then I'll have to work around the problem somehow.

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks @dansci
                    last edited by

                    @dansci said in I can ping between two hosts from different VLANs:

                    @johnpoz 10.6 downloads the configuration via DHCP. The mask is correct, 24.
                    I tried to run Wireshark on this 10.6, but for some reason after running packet capture it crashes and I can't manage it.

                    However, it turned out that this host has a non-stop VPN connection running to an external network. While in the previous configuration of my network, where both hosts were in one subnet (without VLAN) (50.4 and 10.6 were in 192.168.0.0/24) then there was no problem with connecting between them. Now that maybe this OpenVPN on 10.6 is causing 50.4 to not be able to get along with it. I need to verify that, but if that turns out to be the case then I'll have to work around the problem somehow.

                    Depending on exactly which type of VPN client is configured and running on this 10.6 host, it very well could be the default route for this host has been changed by the VPN package to be a gateway at the far-end of the VPN tunnel. If true, then the host is replying via that gateway, and that gateway likely has no idea how to route a reply to your source IP (especially if your source IP is in RFC1918 space).

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dansci
                      last edited by

                      @bmeeks Here my knowledge is limited. How can I check which gateway has priority in such a situation, the one from the local connection or the one from the VPN tunnel?

                      If it turns out that the one from the VPN then can I somehow indicate in the VPN client to look for this host elsewhere?

                      The client is OpenVPN.

                      D bmeeksB 2 Replies Last reply Reply Quote 0
                      • D Offline
                        dansci @dansci
                        last edited by

                        I got permission to disable this VPN temporarily, but this did not help. The ping is not coming back.

                        PS. sorry for the mistake in the title. Of course it should be that I can't :)

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB Offline
                          bmeeks @dansci
                          last edited by

                          @dansci said in I can ping between two hosts from different VLANs:

                          @bmeeks Here my knowledge is limited. How can I check which gateway has priority in such a situation, the one from the local connection or the one from the VPN tunnel?

                          If it turns out that the one from the VPN then can I somehow indicate in the VPN client to look for this host elsewhere?

                          The client is OpenVPN.

                          Typically, on a client, there is only a single gateway configured and that one is considered the "default" one where all traffic not bound for the local subnet is sent. So for a host on a 10.x.x.6 network (assuming subnet is properly set), it hand off any traffic destined for a network outside of that subnet to the gateway.

                          Many users have posted here on the Netgate forums with traffic routing problems caused by installing VPN clients according to instructions from the VPN provider. Invariably those instructions call for turning on a setting that pulls the default route from the VPN provider instead of using the route provided by say DHCP on the host (or firewall).

                          I don't currently have an active VPN client on a host I can check, so I am unable to describe for you where to check the gateway configuration.

                          The online docs for OpenVPN are available, but require quite a bit of networking skill to navigate and understand. Here is one example: https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB Offline
                            bmeeks @dansci
                            last edited by bmeeks

                            @dansci said in I can ping between two hosts from different VLANs:

                            I got permission to disable this VPN temporarily, but this did not help. The ping is not coming back.

                            PS. sorry for the mistake in the title. Of course it should be that I can't :)

                            Disabling the VPN does not necessarily mean the route was changed.

                            Is the VPN connection a dedicated site-to-site one, or is it being used as some sort of "privacy protection" thing for routine browsing and is terminating with some commercial VPN provider?

                            What kind of host is this 10.6 device? Is it a Windows box, a Linux box, or what? Can you check its gateway setting?

                            This topic thread from the OpenVPN forum may also help: https://forums.openvpn.net/viewtopic.php?t=27689.

                            As someone mentioned earlier in this thread, have you verified whether the 10.6 host has its own internal firewall running or not? Windows clients these days do in fact run a host firewall by default. Ditto for most Linux type hosts as well. The Windows firewall can be particularly tricky because it will by default sometimes allow traffic from the local network but will block traffic from external networks (meaning not on the same subnet).

                            bmeeksB D 2 Replies Last reply Reply Quote 1
                            • bmeeksB Offline
                              bmeeks @bmeeks
                              last edited by

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                dansci @bmeeks
                                last edited by

                                @bmeeks 10.6 is Windows. And it was actually a Windows firewall, .... sorry, earlier I thought it acutely let such things go.

                                And just answering anyway, the VPN is supposed to allow connection to this computer from outside to its shared folder.

                                And the routing table on this Windows looks like the lowest metric is the gateway from pfSense - 10. Where the VPN is is 20.

                                Tabela tras IPv4
                                ===========================================================================
                                Aktywne trasy:
                                Miejsce docelowe w sieci   Maska sieci      Brama          Interfejs Metryka
                                          0.0.0.0          0.0.0.0     192.168.10.1     192.168.10.6     10
                                        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
                                        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                                  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                                      192.168.0.0    255.255.252.0     192.168.24.1   192.168.24.122     20
                                     192.168.10.0    255.255.255.0         On-link      192.168.10.6    266
                                     192.168.10.6  255.255.255.255         On-link      192.168.10.6    266
                                   192.168.10.255  255.255.255.255         On-link      192.168.10.6    266
                                     192.168.24.0    255.255.255.0         On-link    192.168.24.122    276
                                   192.168.24.122  255.255.255.255         On-link    192.168.24.122    276
                                   192.168.24.255  255.255.255.255         On-link    192.168.24.122    276
                                    192.168.100.0    255.255.255.0     192.168.24.1   192.168.24.122     20
                                    192.168.252.0    255.255.255.0     192.168.24.1   192.168.24.122     20
                                        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
                                        224.0.0.0        240.0.0.0         On-link      192.168.10.6    266
                                        224.0.0.0        240.0.0.0         On-link    192.168.24.122    276
                                  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                                  255.255.255.255  255.255.255.255         On-link      192.168.10.6    266
                                  255.255.255.255  255.255.255.255         On-link    192.168.24.122    276
                                ===========================================================================
                                

                                Anyway, I tried to quickly add a rule to the Windows firewall, but it didn't work. I need to read up on how to do it to unblock 50.4.

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @dansci
                                  last edited by

                                  @dansci said in I can ping between two hosts from different VLANs:

                                  I need to read up on how to do it to unblock 50.4.

                                  I personally don't run local windows firewall.. I have no hosts locally on my network that I would consider hostile.. And I don't run any services that I would block specific hosts on the same network from accessing, etc. My box is on its own segment, shit I don't actually trust is on different vlans, and pfsense prevents them from talking to my PC etc. So the local firewall wouldn't be worth managing.. And just causes problems ;)

                                  Not saying you should do that - just saying it is an option if your having issues configuring it. At least for your own validation that is the problem..

                                  Host firewalls do have valid use cases, but they also can just be pita if they wouldn't do any good anyway.. You have to evaluate for yourself if makes sense to run a host firewall or not for your environment.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  D 1 Reply Last reply Reply Quote 1
                                  • D Offline
                                    dansci @johnpoz
                                    last edited by

                                    @johnpoz @bmeeks @Bob-Dig
                                    Thank you for your support. Correctly setting a rule in windows firewall on 10.6 that allows traffic from 50.4 helped.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.