pfSense not responding to icmp ping from switch

ryansun

I recently got a cisco catalyst 1000 switch and I'm using the native vlan 1. Switch is connected to pfsend Lan port and a few devices connected to several switch ports.

From both Pfsense and connected devices I can ping the switch management ip (192.168.1.4). However from the switch I cannot ping pfsense but can ping other devices. The switch is not able to use pfsense as DNS either.

I did a packet capture on pfsense and it seems pfsense did receive the packet, however it did not respond for some reason.

22:40:57.672290 IP 192.168.1.4 > 192.168.1.1: ICMP echo request, id 3, seq 0, length 80
(no echo reply)

Pfsense is configured with the default Allow Any (any protocol) from LAN (which includes 192.168.1.0/24) to Any rule.

There is no VLAN configured in pfsense under Interfaces -> VLANs.

My switch config:

switch-2# show run
(Truncated)

interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface Vlan1
 ip address dhcp
!

switch-2#show interface vlan 1
Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is ...
  Internet address is 192.168.1.4/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:29:33, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 2 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

switch-2#show ip route
Default gateway is 192.168.1.1

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty


switch-2#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18

johnpoz

@ryansun can you show a full run vs truncated?

show run detailed

I don't see a name server listed so that would explain no dns from the switch

normally this would be set with

ip name-server ipaddress

I take it that sniff was taken on pfsense lan, it got the ping, it just didn't answer?

Your lan rules on pfsense are any any - could you post a screenshot, you say other clients on your 192.168.1.0./24 network can ping pfsense 192.168.1.1 address

can you show your switches arp table after you try and ping 192.168.1.1 on the switch?

sg300-28#sho arp       

Total number of entries: 2


  VLAN    Interface     IP address        HW address          status      
--------------------- --------------- ------------------- --------------- 
vlan 9     gi10       192.168.9.100   b0:4f:13:0b:fd:16   dynamic         
vlan 9     gi4        192.168.9.253   00:08:a2:0c:e6:24   dynamic         


sg300-28#

NogBadTheBad

@johnpoz vlan1 is getting an IP address via DHCP, is there an issue with the subnet mask?

If you run a packet capture on the LAN interface are you seeing ICMP traffic?

johnpoz

@NogBadTheBad I believe that sniff he shows was on the lan interface of pfsense - which shows ping from 192.168.1.4 to 192.168.1.1

Yeah not a fan of dhcp on a switch.. But it should still be able to ping..

Captive portal maybe @ryansun ?? Do you have any rules in floating? Now that I think about if that sniff was on pfsense lan, that would mean that the switch is seeing the mac address of pfsense lan interface - so yeah the no ping is odd..

No dns on the switch would make sense, since not seeing that in the switches run, but maybe its truncated, I would expect to see the

ip name-server ipaddress

called out for the name server..

ryansun

@johnpoz The switch does not have show run detailed available but here's the untruncated config:

switch-2#show run full
Building configuration...

Current configuration : 1922 bytes
!
! Last configuration change at 00:46:56 UTC Sat Jun 29 2024 by cisco
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service unsupported-transceiver
!
hostname switch-2
!
boot-start-marker
boot-end-marker
!
enable secret 9 REDACTED
!
username cisco secret 9 REDACTED
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone UTC -23 0
switch 1 provision c1000-16p-2g-l
system mtu routing 1500
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no errdisable detect cause gbic-invalid
errdisable recovery cause gbic-invalid
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Bluetooth0
 no ip address
 shutdown
!
interface Port-channel1
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
 spanning-tree portfast edge
 channel-group 1 mode active
!
interface GigabitEthernet1/0/16
 spanning-tree portfast edge
 channel-group 1 mode active
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface Vlan1
 ip address dhcp
!
no ip http server
ip http banner
no ip http secure-server
ip ssh version 2
!
!
!
!
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 password cisco
 transport input none
!
ntp server time.google.com
end

And here's the arp table after ping (shows entry for 192.168.1.2 as well which the switch is able to ping):

switch-2#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             0   00e0.6721.617d  ARPA   Vlan1
Internet  192.168.1.2            35   f492.bf74.a834  ARPA   Vlan1

When I said the switch isn't able to use pfsense as DNS, I meant it does get DNS server from DHCP, however DNS queries just timeout:

switch-2#show ip name-server
192.168.1.1

switch-2#ping www.cisco.com
Translating "www.cisco.com"...domain server (192.168.1.1)
% Unrecognized host or address, or protocol not running.

ryansun

@johnpoz No floating rules on pfsense:

No captive portal either.

"I take it that sniff was taken on pfsense lan, it got the ping, it just didn't answer?" - exactly @NogBadTheBad

"Your lan rules on pfsense are any any - could you post a screenshot" - sure:

And then - LAN subnets:

johnpoz

@ryansun said in pfSense not responding to icmp ping from switch:

interface GigabitEthernet1/0/15
spanning-tree portfast edge
channel-group 1 mode active
 !
interface GigabitEthernet1/0/16
spanning-tree portfast edge
channel-group 1 mode active

Port channel - your doing a lagg, did you set this up in pfsense? You didn't mention that in your first post.

So yeah I would remove that and see if your ok, and then if you want to go back to it you can, but lacp needs to be configured in pfsense.

And see no name server listed, so no the switch isn't going to be able to do dns.

edit:
Why would you have multiple networks on your lan source - are you wanting to use this as a transit network? 10.10.10.10 would be pfblocker. But where id the 192.168.1.26 come from?

Your one pfblocker reject rule has some hits to pfb_pri1_v4, does this have rfc1918 space in, that for sure would block the switch from pinging pfsense IP.

ryansun

@johnpoz GigabitEthernet1/0/15 and 16 are not connected to pfsense - do I still need to configure it in pfsense? Uplink is GigabitEthernet1/0/18. Also the issue was there before I configured port channel for those two ports.

Regarding dns - please see my later reply - dns server was received via dhcp, however not responding either.

johnpoz

@ryansun so you have 3 interfaces connect to pfsense? Why? Makes no sense to me to do that unless you have multiple networks configured.. Or want to do vlans over a lag, or lots of clients with lots of bandwidth.. Is your wan over 1gig, if not the lagg just complicates the setup for no benefit other than failover if one of the ports or cable fail.

edit - oh I missed the "not connected part" - doh!!

ryansun

@johnpoz GigabitEthernet1/0/15 and 16 are connected to my NAS, not pfsense. There's only one interface connected to pfsense, which is port 18

johnpoz

@ryansun yeah my bad - miss read.. doh

But where is that 192.168.1.26 IP coming from? Also disable those pfblocker rules.. Can you ping now?

Your going to have to setup a name server on your switch if you want to do dns, I personally wouldn't use dhcp for a switch.. But it should work - just don't see any config for a nameserver, if it got it from dhcp - you would think it should list it ;)

ryansun

@johnpoz
"But where id the 192.168.1.26 come from?" - I misconfigured a virtual ip - should've used 192.168.1.26/24 instead of 192.168.1.26/32. However after correcting it (now LAN subnets shows 192.168.1.0/24 only) the issue is still there

"Your one pfblocker reject rule has some hits to pfb_pri1_v4, does this have rfc1918 space in, that for sure would block the switch from pinging pfsense IP." - Negative. Also if this rule is blocking icmp from lan how could other devices successfully ping pfsense?

johnpoz

@ryansun very true if your pfblocker was block, your other clients wouldn't be able to ping pfsense eitehr.. odd one.. that is the correct mac for pfsense in your arp table?

edit: what are you running pfsense on - that mac shows as

eac AUTOMATION-CONSULTING GmbH

Never heard of them.. You would think it would be a known mac of network interfaces..

ryansun

@johnpoz It is the right mac address. Pfsense is running on a protectli box

johnpoz

@ryansun odd one..

Your not running snort or suricatad by chance? Ie an IPS package of pfsense.

Are you running + version of pfsense and maybe enable the ethernet filtering, ie layer 2 stuff?

Hmmmm?

Are you doing anything with static arp? You say pfsense can ping the switch 192.168.1.4, look in the arp table - is this the correct mac for the switch? But if that was the case - you would still think you would see it in the sniff..

If I had to guess something is blocking pfsense from seeing the ping request, while it shows up on the interface you see it in the sniff - maybe its not going farther up the stack for pfsense to send a response.. Or maybe for whatever reason its sending it out a different interface.. You don't have any vpn correction on pfsense?

And you don't show anything in the log for the icmp being blocked?

ryansun

@johnpoz VPN was the issue! I set up an IPSec site to site tunnel long ago. It turns out the ip address assigned to switch (192.168.1.4) is being used by the vpn tunnel. This also explains the strange behavior that the switch but switch does not show up in arp table in pfsense, even after doing a "fresh" ping.

After assigning switch a different ip, ping and dns are working as expected. Thank you for your help!

johnpoz

@ryansun great! I wouldn't use any sort of tunnel network that overlaps with your local network.. Is the remote network also 192.168.1?

ryansun

@johnpoz No, the remote network is a different subnet. My understanding is that those IPs serve as the "default gateway" to remote subnet, since I use BGP for routing between the local and remote networks. This (I think) was the link I was trying to follow at that time: https://support.oracle.com/knowledge/Oracle%20Cloud/2488578_1.html (Need a free account to access)

stephenw10

Yes it would still conflict if that IP is used as the transport subnet for a routed IPSec tunnel. That's why many services (like AWS) use APIPA addresses for that to prevent any possibility of a conflict.

johnpoz

@stephenw10 sdwan company we used for few customers at last gig used the documentation network...

192.0.2.0/24

For the tunnels to make didn't overlap with sites of the customer network.