Need help determining routing/access problem



  • I have 3 VLANs 101, 102, 103. I have a device on 101 and cannot access it from my laptop on 102 or 103.

    However, if I move the device to VLAN 102 or 103 I can access it from my laptop on 101.

    My interface rules are wide open. I reset the state table and also reset to default config and then set up VLANs and firewall rules again. Any ideas what could be causing this behavior?




  • From where are you trying to access it?
    Do you have the parent interface of your VLANs assigned?



  • @GruensFroeschli:

    From where are you trying to access it?
    Do you have the parent interface of your VLANs assigned?

    I have a laptop on 102 and 103 connected via ethernet. I can access the internet. I cannot access the device on 101 though. If I move the laptop to 101 and the device to 102 then I can access it. I have been troubleshooting for days now and cannot figure out what's going on. Please help  ???

    Does this answer your question:



  • What i was asking is, did you assign em0 directly as interface?

    While the device is in 101, can you access it from the pfSense itself?



  • @GruensFroeschli:

    What i was asking is, did you assign em0 directly as interface?

    While the device is in 101, can you access it from the pfSense itself?

    Hi Gruens, thanks for reply.

    em0 is assigned as interface.

    Also, while the device is in VLAN101 I can ping it from the pfSense box via the LAN, VLAN101, VLAN102, and VLAN103 interfaces. I cannot ping the device from a laptop on 102 or 103 though.

    .



  • Is this the same problem as you discussed in What the heck broke? (http://forum.pfsense.org/index.php/topic,38824.0.html)

    When GruensFroeschli asked

    did you assign em0 directly as interface?

    I suspect the question meant Are you using em0 (not a VLAN child of em0) as an interface (e.g. the LAN interface)? Your screenshot just showed that em0 is being used as a parent interface for VLANs.

    I don't understand what you mean by

    Also, while the device is in VLAN101 I can ping it from the pfSense box via the LAN, VLAN101, VLAN102, and VLAN103 interfaces.

    Do you mean you use the ping -I option to specify the outgoing interface and that four separate ping commands, each specifying a different interface, solicit a response from the device in question? If so, this suggests to me you might have the switch port the device is connected to configured wrongly (perhaps as a trunk port with VLAN tags enabled on egress and the device ignores the VLAN tags).



  • @wallabybob:

    Do you mean you use the ping -I option to specify the outgoing interface and that four separate ping commands, each specifying a different interface, solicit a response from the device in question? If so, this suggests to me you might have the switch port the device is connected to configured wrongly (perhaps as a trunk port with VLAN tags enabled on egress and the device ignores the VLAN tags).

    Hi wallaby, thanks for your reply. I thought I was dealing with separate problems. This may in fact be the same one big problem.

    Yes, em0 is the LAN interface.

    And to answer your second question, I used the pfsense Ping diagnostic utility to specify the outgoing interface and I am able to solicit a response from the device in question from each interface.

    Side note: I reverted to pfsense 1.2.3 to see if that made a difference. I set up the VLANs in the same format as before VLAN101, VLAN102, etc. However, now I cannot get any VLAN to VLAN communication. Is there a configuration step I am missing somewhere?



  • @amrogers3:

    Side note: I reverted to pfsense 1.2.3 to see if that made a difference. I set up the VLANs in the same format as before VLAN101, VLAN102, etc. However, now I cannot get any VLAN to VLAN communication. Is there a configuration step I am missing somewhere?

    Default firewall configuration is to block all traffic from non LAN interfaces. You need firewall rules to allow VLAN to VLAN communication.

    @amrogers3:

    I used the pfsense Ping diagnostic utility to specify the outgoing interface and I am able to solicit a response from the device in question from each interface.

    Interesting! I'm running 2.0-RC3-IPv6 (i386) built on Tue Jun 21 17:40:54 EDT 2011 and ping doesn't seem to like me specifying an interface:```

    ping -n -c 3 -I vr0 192.168.211.173

    ping: invalid multicast interface: `vr0'

    ifconfig vr0

    vr0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=82808 <vlan_mtu,wol_ucast,wol_magic,linkstate>ether 00:30:18:b0:19:85
    inet6 fe80::230:18ff:feb0:1985%vr0 prefixlen 64 scopeid 0x3
    inet 192.168.211.217 netmask 0xffffff80 broadcast 192.168.211.255
    nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active</full-duplex></performnud,accept_rtadv></vlan_mtu,wol_ucast,wol_magic,linkstate></up,broadcast,running,promisc,simplex,multicast>

    
    You didn't respond to my suggestion about VLAN configuration in your switch.


  • @wallabybob:

    Default firewall configuration is to block all traffic from non LAN interfaces. You need firewall rules to allow VLAN to VLAN communication.

    I opened up the rules on the VLANs to allow all traffic. If you see my initial post, you can see how I set up the VLAN rules.

    @wallabybob:

    Interesting! I'm running 2.0-RC3-IPv6 (i386) built on Tue Jun 21 17:40:54 EDT 2011 and ping doesn't seem to like me specifying an interface:

    I used the built in ping command: DIAGNOSTIC tab –-> PING UTILITY. That will let you test ping from every interface  :)

    @wallabybob:

    You didn't respond to my suggestion about VLAN configuration in your switch.

    Yes sir, here is my switch configuration. (Note: I only had my laptop and the pfsense plugged in at time of screenshot) pfsense plugged into port 8 on switch.



  • Thanks for the switch configuration. I can't see anything obviously wrong but since I don't know the switch brand and model and even if I did I would probably consider it beyond a volunteer effort to go through the documentation to check your configuration.

    @amrogers3:

    Also, while the device is in VLAN101 I can ping it from the pfSense box via the LAN, VLAN101, VLAN102, and VLAN103 interfaces. I cannot ping the device from a laptop on 102 or 103 though.

    The first sentence suggests your VLANs are not correctly isolated, in particular, LAN, VLAN101, VLAN102 and VLAN103 are all connected "somehow". I presume you want them isolated. The switch ports for these VLANs (ports 1 through 4) then should be set to strip VLAN tags on output and add VLAN tags (with appropriate VLAN ID) on input. I suspect the current switch settings don't do that.

    The switch trunk port (8) connected to pfSense should be set to neither strip nor add VLAN tags.

    I would encourage you to NOT use em0 as a pfSense interface, use it ONLY as the parent interface for the VLANs. If you use em0 as a pfSense interface then any incoming traffic without a VLAN tag will get "captured" by em0. But there probably shouldn't be be any incoming traffic to pfSense on em0 without a VLAN tag (if there was, where did it come from?)

    I don't know enough about your configuration (what devices you have connected to your network and how they behave with respect to VLANs) so you may have to "tweak somewhat" these suggestions.

    I've mainly addressed the apparent interconnection of the VLANs. Its possible some combination of switch parameters is incorrectly isolating some of the VLANs.



  • Hi Wallabybob, thanks for the reply. Looks like I finally found the issue. The problem lies with a virtual interface utilized by VMware Fusion.

    The virtual interface was using the IP address 192.168.101.1 which was the same IP address of the VLAN101 interface. Once I disabled the interface with "ifconfig vmnet1 down" I was able to ping to and from VLAN101. All seems to be "working" at the moment.

    I do have a question regarding EM0. I only have two interfaces EM1 which is WAN, and EM0 which is LAN. I have VLANs set up on EM0. I understand this may present a problem but can you go into more detail as to potential problems with VLANs on EM0? I know you said EM0 may "capture" packets without a VLAN tag but all traffic should have a VLAN tag.

    I am researching an additional NIC so I can move the VLANs from EM0.

    Thanks again for the help and advice. Learned quite a bit troubleshooting the problem.

    @wallabybob:

    Thanks for the switch configuration. I can't see anything obviously wrong but since I don't know the switch brand and model and even if I did I would probably consider it beyond a volunteer effort to go through the documentation to check your configuration.

    @amrogers3:

    Also, while the device is in VLAN101 I can ping it from the pfSense box via the LAN, VLAN101, VLAN102, and VLAN103 interfaces. I cannot ping the device from a laptop on 102 or 103 though.

    The first sentence suggests your VLANs are not correctly isolated, in particular, LAN, VLAN101, VLAN102 and VLAN103 are all connected "somehow". I presume you want them isolated. The switch ports for these VLANs (ports 1 through 4) then should be set to strip VLAN tags on output and add VLAN tags (with appropriate VLAN ID) on input. I suspect the current switch settings don't do that.

    The switch trunk port (8) connected to pfSense should be set to neither strip nor add VLAN tags.

    I would encourage you to NOT use em0 as a pfSense interface, use it ONLY as the parent interface for the VLANs. If you use em0 as a pfSense interface then any incoming traffic without a VLAN tag will get "captured" by em0. But there probably shouldn't be be any incoming traffic to pfSense on em0 without a VLAN tag (if there was, where did it come from?)

    I don't know enough about your configuration (what devices you have connected to your network and how they behave with respect to VLANs) so you may have to "tweak somewhat" these suggestions.

    I've mainly addressed the apparent interconnection of the VLANs. Its possible some combination of switch parameters is incorrectly isolating some of the VLANs.



  • @amrogers3:

    Hi Wallabybob, thanks for the reply. Looks like I finally found the issue. The problem lies with a virtual interface utilized by VMware Fusion.

    Seems like a lot of people misconfigure their pfSense systems by configuring multiple interfaces with the same subnet.
    @amrogers3:

    I do have a question regarding EM0. I only have two interfaces EM1 which is WAN, and EM0 which is LAN. I have VLANs set up on EM0. I understand this may present a problem but can you go into more detail as to potential problems with VLANs on EM0? I know you said EM0 may "capture" packets without a VLAN tag but all traffic should have a VLAN tag.

    I am researching an additional NIC so I can move the VLANs from EM0.

    If all traffic on an interface has VLAN tags then there is no need to use the parent interface (in your case em0) as a pfSense interface. A concern I have in my own configuration is that if I have my LAN interface as a VLAN and my VLAN capable switch fails I'm not sure how I would reconfigure my pfSense. Consequently (and because there is plenty of spare bandwidth capacity on the interface) I have WAN and a DMZ as VLANs on the same physical interface. If I need to reconfigure because my VLAN switch has died I can still access my pfSense over the LAN interface.

    I suspect you would have plenty of spare capacity on the interface you are currently using as the WAN interface to support WAN and a number of your VLANs.

    I think one of the challenges on having tagged and untagged traffic on the same interface (or switch port) is that there is a potential ambiguity with equipment that doesn't support VLANs. Will such equipment ignore VLAN tags or discard traffic with VLAN tags?


Log in to reply