Strange MicroSemi PDS-208 behavior

lewis

You don't want to add another vlan to pfSense, you just want to stop using vlan 1 on the switch, is this correct?

I have no preference. If I have to use a vlan, it's fine, just never have used vlans. I wanted to avoid vlan1 since that's used on most switches but since it's a switch itself, then that's fine if it makes sense to use vlan1.

However, changing the microsemi vlan1 IP to an IP on the 192.168.1.1 network doesn't work. I can ping it a few times then no more.

Just looked at the picture you posted, looks like dhcp might not be an option so set a static IP like Johns post above.

Correct. The microsemi devices do not have a dhcp client though the manual says it does. I've not been able to find any firmware updates and even the distributor didn't know about any.

If so, the router doesn't care what vlan you use on the switch. You're using a physical port on the router, so whatever pvid is on the port of the switch that you plug into the router will be used.

Do this. Log into the switch. Add a vlan id that you want to use as the default vlan. Set that vlan id as pvid on any 2 ports for now. Set that vlan as management vlan. Set the management vlan to dhcp. Plug one of the ports you used into the lan port on pfSense. Check your dhcp status and find the IP given to the switch. Plug the pc into the other switchport with the new vlan. Log into the IP you found in the dhcp status. Set all the other switchports to the pvid of the vlan you want to use.

I think I've tried this so let me explain what I've done again and see if it's what you are explaining.

I connected a terminal directly to port 10.

The microsemi comes default with vlan1 and 192.168.0.50.
My network is 192.168.1.1.
I changed vlan1 to 192.168.1.22, a free IP on the 192.168.1.1 network.
I changed the IP of the terminal to match so kept having access.
On the 192.168.1.1 network, I used a server to ping the 192.168.1.22 IP continuously and noticed that it can ping it 3-4 times only when the microsemi is restarted or the cable is pulled from the port and plugged back in.

I preferred not to use vlan1 so wanted to add a new vlan for this since I have a bunch of these microsemi switches and want them on their own network.
I also don't have a free interface on pfsense so vlan would be perfect.

I adding a new vlan on the microsemi, vlan3 so I would use a new network of 192.168.3.0/24. Something I'd remember, vlan matching the network.
I connected the microsemi port 9 directly to the main LAN switch, port 16. That's the same switch that pfsense is connected to.
I added vlan3 to the main switch for port 16, untagged. Not sure where I mentioned I used tagged but never have so if I did, it was a typo.

Then I figured ok, now I have to add a vlan to pfsense.
I added vlan3 (192.168.3.1/24) to the LAN interface.
I then added a rule that should have allowed all traffic to the vlan.

Even if I made an error above so far, the problem remains at the microsemi first I think.
When I created the vlan3 and selected all ports, I got locked out of the device. Changing the network on the terminal did nothing so I reset the switch.
Then I re-added a new vlan3 and this time, selected only ports 9 and 10.
Got locked out again.
Then I re-added a new vlan3 and this time, selected only port 9 for it so I would not get booted and that worked. I hoped that maybe that would at least get some communications going between pfsense and the microsemi so I could move forward from there.

So, that combination ended up being, microsemi connected to main lan switch port 16. untagged. Port 9 of the microsemi using vlan3.

Got nowhere, decided to post here.

Based on the fact that you are all telling me how easy this should be, it means to me that the microsemi is doing something unusual or I'm missing a very small step. Of course, at this point, it's a long thread which also adds additional confusion but still appreciating the help otherwise, I think these damn things would be in the garbage bin at this point! Or I should be on a badly needed vacation.

Jarhead

@lewis You do realize that every switch is it's own broadcast domain, right?
You can have 10 switches, all using vlan 1 and each switch will be a separate network if you connect them to different interfaces on the router.
If what you're thinking is because they all use vlan 1 they are all gonna be connected, that's not how it works. Think about it, every switch I've ever seen comes with vlan 1 as default. So if you were right, every network in the world would be connected.
If you don't connect the switches together, they are separate regardless if they all use vlan 1 or not.

Why don't you draw a diagram of what you want to do so it would be clearer because what you're saying isn't coming over very well.

lewis

I don't know why what I'm asking about is sounding so complicated.

I'm not wanting to do anything interesting. I simply want to reach these switches from the main lan.

Later, I thought this might be a good opportunity to learn about vlans, by keeping these switches in their own isolated network but reachable from the main lan.

A diagram would be as simple as;

A separate network would be nice to have so I could isolate that traffic from the main LAN and the other networks on the pfsense.

For now, I just want some of the devices on 192.168.1.1/24 to be able to reach the microsemi devices connected to ports 1-8 when that's done.

johnpoz

@lewis said in Forced to use vlan1:

A diagram would be as simple as;

And how many times do I have to tell you how to set this up? This works out of the box on both pfsense and this switch.. Forget vlans for 1 minute..

As I stated above how to change the IP of the switch to 192.168.1.2

Do that! And your diagram works.. It is that simple, there is nothing to do - no small steps... Your changing the IP of the switch.. nothing to do with vlans nothing to do on pfsense.. the only thing you have to worry about is the IP you set the switch to is not already being used on your 192.168.1/24 network..

Once you have the switch working with some 192.168.1.x IP on its default vlan 1, we can start talking about adding vlans.. Keep in mind with your drawing, that main switch if its dumb is not how you would do it.. Because while a dumb switch might not strip vlan tags (it could but shouldn't) It doesn't understand vlans, and any broadcast traffic sent across that switch no matter what vlan tag you have on it is going to go out all the ports, and there is no isolation of any vlan traffic.. That sort of setup is not a valid setup..

if you have some dumb switch it should be behind your vlan capable switch..

If you have plan on doing vlans sometime in the future.. You should put this vlan capable switch between pfsense and your dumb switch..

But for now.. I would get the vlan switch working on something.. Either change its management IP to be on your lan network.. Or just connect it to one of your other pfsense interfaces and either use 192.168.0/24 network on that, or change that network to be some network you want to use..

But for now forget about changing any vlans on the switch, forget about setting up any vlans on pfsense. And just get the switch talking on its IP you set on it..

If your other interfaces are not actively being used.. The plug your new vlan switch into one of those. Set pfsense to use 192.168.0.1/24 on this interface.

Setup a any any rule on pfsense optX interface. make sure the gateway on the switch is 192.168.0.1 and there you go - the switch is on your local network, it can talk to the internet or your other networks. And as long as your networks are not policy routing traffic out some gateway or vpn. And your rules allow it to talk to your other networks on pfsense - your working..

lewis

Please don't say things like 'how many times do I have to tell you'. I'm a grown man, I don't treat people that way and I don't want to be treated this way.

I'm not being rude and I'm not purposely not understanding. It's new to me and many others have said that playing with vlans was quite a challenge for them.

Yes, I understand that we're not talking vlans at this point but I've shared many times that I've done exactly what you're showing.
I shared above that it is set to 192.168.1.22, a free IP in the main LAN.
It responds to pings only 3-4 times then no more unless restarted or I pull the cable and plug it back in.

There are no switches in between right now, port 9 of the microsemi is connected to port 16 of the main LAN switch and it's on the same network but is not accessible.

Here is an image of the microsemi;

And here is an image trying to ping it from a LAN client;

johnpoz

That is your client 192.168.1.50 saying that IP that is suppose to be on my network does not have a mac address.. via arp..

Here I do not have anything on my network at 9.44 - so yeah might client says it can not talk to that host..

Where is this 192.168.1.50 client.. is it plugged into the vlan switch, on a port that is still on vlan 1 or its connected to your main switch?

None of this has anything to do with vlans, this has to do with your switch.. If your connected to a port on that vlan switch that is untagged in vlan 1 and it can not ping the management IP of the switch... Then either you didn't actually change the IP. Or the switch is borked..

Jarhead

@lewis said in Forced to use vlan1:

There are no switches in between right now, port 9 of the microsemi is connected to port 16 of the main LAN switch and it's on the same network but is not accessible.

So where's the router in this?
Why not get rid of the main lan switch for a second.
Plug the microsemi into the lan port from pfSense and a pc into another switchport.
Does everything work that way?
This sounds like the main lan switch is in between.

johnpoz

@jarhead the dumb switch shouldn't matter.

But have already went over testing the changing of this switches management IP without any other switches or pfsense involved at all.

Connect your PC to say port 1 of the switch, not the console port.. Any of the ports on the switch.. Set your IP on your pc to 192.168.0.51, access the switch gui - change the IP to 192.168.1.2.. or .22 if you want... Now change the IP of your PC to 192.168.1.X

Can you ping the IP of the switch, and you access the gui - if not then the switch isn't changing its IP or its just plain freaking borked..

lewis

That is your client 192.168.1.50 saying that IP that is suppose to be on my network does not have a mac address.. via arp..

Not exactly. It's what I've been explaining many times.

I have configured an IP on the microsemi that is on the same network as the other devices are on LAN. I've given it 192.168.1.22, a free IP, not being used anywhere else.

From just another client, in this case, a Centos server on the network, I start pinging that IP but get nothing. I get nothing unless I reboot the microsemi or unplug the Ethernet cable then plug it back in. Any time it does ping, it only pings 3-4 times or so then no more.

In this image, I show that I'm pinging the switch while it's rebooting. The moment I see a response, I run an nmap.

Somehow, the nmap completes showing the open ports on the device.
Maybe the probe kept the switch communicating until it was done or something.

And yes, it's the correct MAC address as well.

Great. Then I immediately start pinging it again and as you can see, it's already gone.

On the terminal connected to the microsemi, I can still ping 192.168.1.22.

So where's the router in this?

The router is on the WAN side, it's not involved at all.
Since the terminal is connected directly to the microsemi port, it's not involved in any firewall/router either.

Why not get rid of the main lan switch for a second.
Plug the microsemi into the lan port from pfSense and a pc into another switchport.

I can't do that, it would take down too many things. Everything across the networks is working just fine, it's only this microsemi I'm having a problem with.

This sounds like the main lan switch is in between.

The fact that the microsemi was reachable for a short while by a client on the LAN seems to confirm there is nothing wrong with the main LAN switch.

From pfsense, using ping, it's the same it cannot reach 192.168.1.22 even though it was reachable a few moments ago.

FSC830

Excuse for jumping in, but can you do a simple test and post the outcome?
Just connect the microsemi switch and a notebook directly with a LAN cable. If the notebook has a 1Gb/s interface an usual cable will work, no crossover cable mandatory.
Assign a static IP to the notebook in same subnet (i.e. switch: 192.168.1.22, notebook 192.168.1.10, subnet mask 255.255.255.0 at both devices).
So no "foreign" devices are involved.
Is ping then continously?

Regards

johnpoz

@fsc830 exactly..

Take the rest of the network out of the equation completely..

Also that destination host unreachable is where the client doesn't know the mac.. if there was a firewall blocking, or the device just didn't want answer then the response would be timeout. Not unreachable - unreachable means the client doesn't know what mac address to send the traffic too.

Or it doesn't have a route, etc. but if devices are on the same network and you get host unreachable - that means there is no mac for that IP..

Look in your arp table.. on the client your using to ping that is on the same network as the switches management IP.

edit: here is a question for you - are you actually apply the config.. You can change the running config, but are you saving that running config?

Page 86 of the manual talks about saving the running config.. If you are rebooting the device and didn't actually save the config, it would go back to the saved config.. Ie revert to the old IP, etc.

lewis

Connect your PC to say port 1 of the switch, not the console port.. Any of the ports on the switch.. Set your IP on your pc to 192.168.0.51, access the switch gui - change the IP to 192.168.1.2.. or .22 if you want... Now change the IP of your PC to 192.168.1.X

I'm not connected to the console port, I don't have the cable. I thought about that also and tried connecting the terminal to 1-8 ports and the same thing happens.
On the terminal, I constantly have a ping going along with the GUI open in a browser.

Can you ping the IP of the switch, and you access the gui - if not then the switch isn't changing its IP or its just plain freaking borked..

The switch is using the new IP of 192.168.1.22.

I tried this just now. I connected the terminal to an unmanaged switch.
I connected the microsemi to the same switch.
The terminal was able to ping it a few times but then no more as all other times so far.

The manual says no need for a cross-over cable or anything unusual but for some reason, the microsemi won't work using an Ethernet switch.

lewis

@fsc830 said in Forced to use vlan1:

Excuse for jumping in, but can you do a simple test and post the outcome?
Just connect the microsemi switch and a notebook directly with a LAN cable. If the notebook has a 1Gb/s interface an usual cable will work, no crossover cable mandatory.
Assign a static IP to the notebook in same subnet (i.e. switch: 192.168.1.22, notebook 192.168.1.10, subnet mask 255.255.255.0 at both devices).
So no "foreign" devices are involved.
Is ping then continously?

Regards

HI, thanks for your input. Yes, that's how it was. The terminal as I call it is a tiny stand alone Linux box I use for stuff like this. It's only connected to the microsemi.

daduls

can we see a snip of your port to vlan membership page from your main switch?

lewis

Take the rest of the network out of the equation completely..

That's how it all started. I connected a terminal to the microsemi and it's fine, it can communicate.

Then just a while ago, I connected the microsemi to a small unmanaged switch and the terminal to the same switch and the terminal can no longer reach the microsemi. As usual, I saw a few pings then no more. As soon as I connected the terminal back into the microsemi, it pings again.

Also that destination host unreachable is where the client doesn't know the mac.. if there was a firewall blocking, or the device just didn't want answer then the response would be timeout. Not unreachable - unreachable means the client doesn't know what mac address to send the traffic too.

Or it doesn't have a route, etc. but if devices are on the same network and you get host unreachable - that means there is no mac for that IP..

It has a route and it's reachable from the LAN but only for a few seconds.
The reason there's no MAC is only because it goes MIA :). That's why nmap doesn't see the host. In what I shared, I'm showing that by the time I was able to ping it then nmap it, it was reachable long enough to get the nmap result back then no more.

edit: here is a question for you - are you actually apply the config.. You can change the running config, but are you saving that running config?

Yes, the config is saved and the microsemi has been rebooted a few times and comes back with the same 192.168.1.22 IP.

FSC830

@lewis said in Forced to use vlan1:

HI, thanks for your input. Yes, that's how it was. The terminal as I call it is a tiny stand alone Linux box I use for stuff like this. It's only connected to the microsemi.

So, to clarify: only one Linux box is directly connected to the microsemi switch and ping dies out after a very short time!?

If the switch is really "dump" and does not have any mechanism to detect an DoS attack, my guess is that here is a broken network stack.
The ping should never die out.

Does this happen with another client too?

Regards

lewis

@daduls Sure but there's no extra configuration on it, it's just default.

daduls

@lewis Thx, this noob sees no reason your microsemi switch should be giving you such a hard time. I'm gonna make popcorn and watch.....

lewis

@fsc830 said in Forced to use vlan1:

So, to clarify: only one Linux box is directly connected to the microsemi switch and ping dies out after a very short time!?

The initial IP of the microsemi was 192.168.0.50 and I've since changed it to 192.168.1.22 and the Linux box is at 192.168.1.75 connected directly to any port.

The short ping responses are when I connect the microsemi to the network and ping it from anything else on the same LAN. From that, I get 3-5 pings then no more and only if I restart the microsemi or if I unplug the Ethernet and plug it back in. After that, nothing else.

I shared an image above showing I was pinging it, when it came back online, it started responding so I quickly ran an nmap. The nmap result came back which surprised me since it only stays online for a few pings. Yet there was the result. Right after that, I pinged it again and it was gone.

It's as if the nmap kept it alive long enough to complete the scan then done.

If the switch is really "dump" and does not have any mechanism to detect an DoS attack, my guess is that here is a broken network stack.
The ping should never die out.

Sorry, what does 'dump' mean in your comment?

Does this happen with another client too?

Yes, I kept two different clients pinging non stop so I could monitor the behavior. Both saw the same thing. The only one that never stops seeing it is the Linux box connected directly to it. And of course, as mentioned above, it did exactly the same as the others did when I connected it to a switch and the microsemi to the same switch, unmanaged.

Jarhead

@lewis So then the problem is clearly in the Main Lan switch. Do you have something configured on the port you're using? Did you add a vlan to it already maybe?
Try a different port on that switch.