Unable to ping to Opt1 or from Opt1

jeremym

I have been searching and searching with no luck.  I have searched this forum and found people who have had similar issues but either had it magically be resolved or their fix did not work for me.  I am hoping someone is able to help.

Issue:

I am unable to ping the opt1 (DMZ) device from any server on its subnet (192.168.2.0).
I cannot ping any device from the pfsense firewall that is on that subnet (192.168.2.0). 
I am able to ping from the switch to the servers on that subnet (192.168.2.0). 
I can also ping the switch ip that is on that subnet (192.168.2.0) from the switch.
I can ping the GW IP of 192.168.2.1 from within PFSense firewall. 
I can also ping the IP 192.168.2.1 IF i add a static route on my linux server to my LAN GW on subnet 192.168.1.0.  (example: ip route add 192.168.2.1 via 192.168.1.1)

It is as if the cable is not connected to the router from the switch.

I have reviewed the firewall logs and I don't really see anything that stands out.

Setup:
PFsense 2.2.1
2 intel GB network cards one with a dual port.  I am using LAN, WAN, DMZ (OPT1)
Summit400-48t (ExtremeWare) switch
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to.  The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.

Rules:
I have a couple rules in place for DMZ which are
IPv4 * * * DMZ net * * none
IPv4 * DMZ net * * * * none

What I have done so far:
I have tried different combination of rules and settled for what is above
I have validated the switch configuration matches the existing working LAN configuration.  Only differences are the subnet's are different since they are separate vlans.
I swapped out the Ethernet cable
I swapped out the NIC
I have tried the DMZ cable in different DMZ designated ports on the switch.
I have narrowed the test down to a breakdown from the switch to the router and vice versa.  The break is there since I am unable to ping 192.168.2.1 from the switch.

Odd thing is this used to work fine when i first set it up.  I only tested it with a laptop connected and I had outbound connection.  I never had any servers connected so it sat for 2 months in this configuration not used.  The only thing I did that I can recall is upgrade from 2.1 to 2.2 then to 2.2.1.

Here is some output from various pings:

From the switch which has IP 192.168.2.2:

• Summit400-48t:40 # ping 192.168.2.2
  Ping(ICMP) 192.168.2.2: 4 packets, 8 data bytes, interval= 1.
  16 bytes from 192.168.2.2: icmp_seq=0 ttl=128 time=0 ms
  16 bytes from 192.168.2.2: icmp_seq=1 ttl=128 time=0 ms
  16 bytes from 192.168.2.2: icmp_seq=2 ttl=128 time=0 ms

–- 192.168.2.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms

• Summit400-48t:41 # ping 192.168.2.1
  Ping(ICMP) 192.168.2.1: 4 packets, 8 data bytes, interval= 1.

--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

• Summit400-48t:42 #

From the PFSense router:

[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.067 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.040 ms
^C
–- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.040/0.054/0.067/0.013 ms
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
^C
–- 192.168.2.2 ping statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root:

jeremym

Also here are some routing table information to hopefully help:

PFSense Firewall:

[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            173.24.208.1      UGS        em2
127.0.0.1          link#7            UH          lo0
173.24.208.0/21    link#3            U          em2
173.24.212.2      link#3            UHS        lo0
192.168.1.0/24    link#4            U          em3
192.168.1.1        link#4            UHS        lo0
192.168.2.0/24    link#2            U          em1
192.168.2.1        link#2            UHS        lo0

Switch:

• Summit400-48t:43 # show iproute

Ori Destination        Gateway        Mtr Flags      VLAN        Duration
*d  192.168.1.0/24    192.168.1.2    1  U–----u--- Default    0d:7h:15m:52s
*d  192.168.2.0/24    192.168.2.2    1  U------u--- DMZ        0d:0h:50m:31s
*d  127.0.0.1/8        127.0.0.1      0  U-H----um-- Default    0d:7h:15m:52s

Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
            (dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
            (o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
            (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
            (s) Static, (*) Preferred route

Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
      (L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
      (P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
      (t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up

Mask distribution:
    1 routes at length  8          2 routes at length 24

Route origin distribution:
    3 routes from Direct

Total number of routes = 3.

doktornotor

Post the OPT1 firewall rules screenshot. Also, there's this CODE forum tag (the # button) to post output nicely aligned, instead of this mess.

jeremym

I resolved it.  It turns out there was an issue with tagging on one of the ports on my switch.  It works now.

Thanks for the reply.