Blocked packets on VLan…and no ARP lookup on VLan???

maldex

Hi there

i got two interfaces, one Broadcom BCM5701 in a Linux Box, and the NS DP83815/16 MacPhyter embedded in the PCengines/WRAP box. Because of VM/Network separation and the lack of a second Interface and no possibility to lay an other patch-cable i'd like to to 802.1q vlan tagging.

i setup a VLAN interface in linux and assigned it a IP:

# vconfig add eth0 144
Added VLAN with VID == 144 to IF -:eth0:-
# ifconfig eth0.144 192.168.144.3 up
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0D:9D:FF:C8:C1
          inet addr:10.80.47.10  Bcast:10.80.47.127  Mask:255.255.255.128
          inet6 addr: fe80::20d:9dff:feff:c8c1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:297192 errors:0 dropped:0 overruns:0 frame:4
          TX packets:295035 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:62975556 (60.0 MiB)  TX bytes:71067760 (67.7 MiB)
          Interrupt:217

eth0.144  Link encap:Ethernet  HWaddr 00:0D:9D:FF:C8:C1
          inet addr:192.168.144.3  Bcast:192.168.144.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:9dff:feff:c8c1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:328 (328.0 b)

# cat /proc/net/vlan/eth0.144
eth0.144  VID: 144       REORDER_HDR: 1  dev->priv_flags: 1
         total frames received            0
          total bytes received            0
      Broadcast/Multicast Rcvd            0

      total frames transmitted            6
       total bytes transmitted          468
            total headroom inc            0
           total encap on xmit            0
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
EGRESSS priority Mappings:
#

on the Wrap box i just added, via the webgui, a VLAN interface on SIS0 (LAN):

# ifconfig
ath0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet6 fe80::280:48ff:fe7e:4f9e%ath0 prefixlen 64 scopeid 0x1
        inet X.X.X.X netmask 0xffffff80 broadcast X.X.X.X
        ether 00:80:48:7e:4f:9e
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>status: associated
        ssid blanet channel 7 bssid 00:80:48:7e:4f:9e
        authmode SHARED privacy ON deftxkey 1 wepkey 1:104-bit txpowmax 46
        protmode RTSCTS wme burst ssid HIDE -apbridge dtimperiod 1 bintval 100
sis0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet6 fe80::20d:b9ff:fe05:c21c%sis0 prefixlen 64 scopeid 0x2
        inet X.X.X.X netmask 0xffffff80 broadcast X.X.X.X
        ether 00:0d:b9:05:c2:1c
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sis1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>inet6 fe80::20d:b9ff:fe05:c21d%sis1 prefixlen 64 scopeid 0x3
        inet PublicIP netmask 0xfffff000 broadcast 255.255.255.255
        ether 00:0d:b9:05:c2:1d
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
sis2: flags=8802 <broadcast,simplex,multicast>mtu 1500
        options=8 <vlan_mtu>ether 00:0d:b9:05:c2:1e
        media: Ethernet autoselect (none)
        status: no carrier
pflog0: flags=100 <promisc>mtu 33208
pfsync0: flags=41 <up,running>mtu 2020
        pfsync: syncdev: lo0 maxupd: 128
vlan0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
        inet 192.168.144.1 netmask 0xffffffff broadcast 192.168.144.1
        inet6 fe80::280:48ff:fe7e:4f9e%vlan0 prefixlen 64 scopeid 0x8
        ether 00:0d:b9:05:c2:1c
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        vlan: 144 parent interface: sis0
#</full-duplex></up,broadcast,running,simplex,multicast></up,running></promisc></vlan_mtu></broadcast,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></hostap></up,broadcast,running,simplex,multicast> 

now when i do ping 192.168.144.1 from the Linux box (pinging vlan-if on Linux to the vlan-if on pfsense), i got ARP whois and answers and i got a filter: rule 89/0(match): block in on vlan0: 192.168.144.3 > 192.168.144.1: ICMP echo request, id 26688, seq 17, length 64

ok, the packet gets rejected…i added a firewall rule:
Action: Pass
Interface: LAN144
Protocoll: ANY
Destination: ANY

this rule should cover all ingress traffic on the VLan interface, also the ICMP Echo and answer, not?

even after adding a special rule for ICMP from the appropriate subnet to the VLAN144 interface didn't work, still got no answer.
in fact got no answer from anywhere. not ICMP, not any TCP session, nothing. everything transmitted to the VLan IF on pfsense is blocked by the packetfilter and show's up in the filterlogs.

and, never seen before, but the log shows sometime this:
Jun 10 02:45:05 last message repeated 3 times
Jun 10 02:43:09 kernel: arplookup 192.168.144.3 failed: host is not on local network
Jun 10 02:42:30 kernel: arplookup 192.168.144.3 failed: host is not on local network

and infact, the 192.168.144.3 (linux VLan-if) doesnt show up the wrap box ARP table….

anyhow it shouldn't have an impact on these packets, i decreased the MTU on linux to 1492. first i had a unmanaged desktop switch between them, but i removed this one as well and replaced it with a crossover.... without any behavior change...

now, did i something wrong? is the NationalSemiconductor interface not capable of VLantagging althoug i see everything i'd like to have in this vlan, but why is it blocked?

i'm running pfsense 1.0.1 embedded on a pcengines wrap1e203. (http://pcengines.ch/wrap1e203.htm)

cheers, thx and good night
maldex

cmb

Reboot after you setup any VLAN's on 1.0.1, there's a bug somewhere where they aren't brought up until you reboot.

maldex

Na, solved nothing.

still no answers, still rule 90/0(match): block in on vlan0: 192.168.144.3 > 192.168.144.1: ICMP echo request, and kernel: arplookup 192.168.144.3 failed: host is not on local network

maldex

Just upgraded to 1.2-Beta1 …. and still the same behavior.....

Jun 10 15:32:21 kernel: arplookup 192.168.144.3 failed: host is not on local network
Jun 10 15:31:59 kernel: arplookup 192.168.144.3 failed: host is not on local network

but what changed…i dont have the block-log's anymore.

is there a issue with learning the ARP address on .1q interfaces?

cmb

Your subnet mask on the VLAN is /32. That means only it is on its own IP subnet. You need to change that to whatever you're using on the Linux box (or if you're using /32 there as well, you need to change that to the same on both ends where both IP's are within the same subnet).

maldex

damn am i a idiot.

thx a lot, that was it!

cheers