Unable to ping traffic between VLANs on interfaces



  • May I start by saying PF Sense rules. Ok i've got a tricky issue concerning my pfsense software hosted on a virtual machine with shared interfaces to vlans. My specific Vlan (vlan 224) is sharing an interface LAN2 with a server (server 2) that has a static IP address and its DNS and DC are pointing to another vlan (vlan 223) on the interface 192.126.15.21 which has joined its default gateway to another logical firewall on another virtual machine.

    As complex as this may seem, everything has been working fine until the creation of the vlan 224 used by server2. we need this new environment to run a DMZ for our Citrix web interface.

    The problem here is server1 is able to ping the default gateway of LAN2 but cannot go further to find server2 in that lan. Server2 however can only ping its default gateway and some other default gateways of that firewall (firewall 1). I've taken the liberty to draw up and taken snapshots of the environment as is. Your input into how i can get these servers to communicate will highy appreciated. from the image you will notice that:

    -Aliases have been created in the rules to allow all traffic into LAN2 and traffic to LAN1 from LAN2 is also allowed from the LAN2 interface.
    -Pinging from the firewall; ping to server1 in LAN1 is successful and ping to server2 is also successful

    • packet capture on firewall does not show any interesting traffic
      -no errors on the LAN2 interfaces but shows a good number of packets blocked…see images (files too large. I have some more images if you need)





  • Here are the rest of the attachments….



  • Netgate Administrator

    Wow, I just read through that several times and am totally confused. :-\

    Your diagram doesn't have any switches, virtual or otherwise. Are they there? Are they handling vlans at all?
    Your LAN2 interface on FW2, is that a vlan with em1 as the parent?

    My instinct is that you've added gateways to your lan interfaces when they shouldn't have them. This causes pfSense to NAT between them and can also end up being the default route incorrectly.

    Steve



  • Your rules on slide3 are a bit suspicious to user-input-error.
    You can only filter incoming traffic (to pfSense).

    This means that your rule either to 172.x.y.z or from 172.x.y.z is absolutely irrelevant. Same with Lan1 and Lan2 rules.
    Well, unless you have a filtering bridge setup, which you don't.



  • Wow, I just read through that several times and am totally confused. :-\

    Your diagram doesn't have any switches, virtual or otherwise. Are they there? Are they handling vlans at all?
    Your LAN2 interface on FW2, is that a vlan with em1 as the parent?

    My instinct is that you've added gateways to your lan interfaces when they shouldn't have them. This causes pfSense to NAT between them and can also end up being the default route incorrectly.

    Steve

    I appreciate you taking the time to help. I do understand that it is a very complex network setup. I have inherited a project in my new job and my managers insist on keeping this network setup as it has been working well so far. Let me see if i can make it easier for you with better diagrams. the network is as follows;

    internet link<–->2 hp procurve switches on stack <-->vmware cluster hosting pf sense virtual machine and other port groups (LAN1, LAN2, etc)

    There are two Gateways: WAN (default route):20.113.25.57
                                                          FW1 (eth3): 192.126.25.10

    No static routes.

    we have altogether 23 VLANS as every segment (port group) is a VLAN with different IP subnets. LAN2 interface on FW1 firewall is a VLAN (vlan 224) which has been assigned to an interface on  FW1, interface Opt1. This interface on the firewall is a trunk which allows it to see and pass traffic to five other VLANs sharing that interface on the pf sense.

    the pf sense vm has several other interfaces which I did not include on my diagram as it does not applicable to this problem.

    I believe the interface opt1 to LAN2 is vital for the segmentation of that subnet to LAN1. My thinking is that if FW1 was a physical router, LAN2 will be connected to its interface Opt1. I may however not completely understand how pf sense implements NAT and I might have got it wrong (see attached for NAT instance).

    Your input will be highly appreciated.






  • Posted by: jahonix
    « on: Today at 04:19:25 am » Insert Quote
    Your rules on slide3 are a bit suspicious to user-input-error.
    You can only filter incoming traffic (to pfSense).

    This means that your rule either to 172.x.y.z or from 172.x.y.z is absolutely irrelevant. Same with Lan1 and Lan2 rules.
    Well, unless you have a filtering bridge setup, which you don't.

    I have cleaned the rules to filter incoming traffic. My end goal at this point is just to allow traffic to pass through the Opt1 interface to server2 and from server2 through the firewall to server1. So far the firewall is blocking traffic to interface Em1-LAN. In fact I cant ping that subnet (192.126.0.0/16) from server2, but i can ping the other firewall VLAN interfaces (Opt2-VLAN202:172.45.201.15/29, Opt3-Opt-VLAN522:172.45.201.26/29, Opt4-VLAN765:172.45.201.2/29).

    CONTROL:

    Pinging from firewall
    -Ping to server1 is successful
    -Ping to interface Opt1 is successful
    -Ping to server2 is successful

    Pinging from Server1
    -Ping to its default gateway, 192.126.15.21 is successful
    -Ping to interface Opt1, 172.45.116.5 is successful
    -Ping to server2, 172.45.116.10: Destination unreachable

    Pinging from Server2
    -Ping to its default gateway, 172.45.116.5 is successful
    -ping to interface Em1-LAN: Request time out!

    Please help! I am literally desperate.




  • I finally found out where the problem was coming from. it turns out the firewall does not like that particular IP address on LAN2 subnet. I have no idea why especially as it has been confirmed that the LAN2 subnet was working before my time. The only change would be the recent upgrades of pf sense firmware from 2.0 to now 2.1. So i changed the IP address on Server2 and voila!

    I wonder if anyone has had similar issues with the firmware or anything remotely related to this.


  • Netgate Administrator

    It's not a private IP address. Do you own that IP?

    Steve


Log in to reply