VLAN routing to wrong IP

  • 0
  • 1
  • Problem
  • Updated 4 years ago
  • Solved
I currently have a Summit 400 48t switch that is behind a PFsense firewall.  My PFsense firewall has 3 network cards in it two of which are connected to the switch.  One is for the LAN (192.168.1.0) and the other is for the DMZ (192.168.2.0).  I have configured a block of ports just for DMZ and gave it an IP of 192.168.2.2 and I configured a block of ports just for the LAN and gave it an IP of 192.168.1.1.

From the switch I am not able to ping 192.168.2.1.  From the firewall I am unable to ping 192.168.2.2.  From devices on the 192.168.2.0 subnet I am able to ping 192.168.2.2 but not 192.168.2.1.

I have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface.  When I cabled it back up to port 33 (first port on VLAN 2 192.168.2.0) I am no longer able to ping 192.168.2.1.

When I created a rule on PFSense to allow all traffic to DMZ I was able to ping 192.168.2.1 via my laptop while on 192.168.1.0 subnet but that was to be expected since I configured it to allow communication from any LAN.  However trying to ping 192.168.2.1 from the switch still failed.

My setup is this:
Summit400-48t
Primary EW Ver:   7.8e.4.1 patch1-r4
PFSense 2.2.1 FW with 2 intel GB network cards one with a dual port.  I am using LAN, WAN, DMZ (OPT1)
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to.  The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.


It appears that the traffic on 192.168.2.0 is not being routed to 192.168.2.1 on the switch.

* Summit400-48t:18 # show vlan defaultVLAN Interface[0-200] with name "Default" created by user
     Tagging:   802.1Q Tag 1
     Priority:  802.1P Priority 7 
     IP:        192.168.1.2/255.255.255.0    
     STPD:      s0(Disabled,Auto-bind) 
     Ignore-stp: Disabled on this vlan
     Ignore-bpdu: Disabled on this vlan
     Protocol:  Match all unfiltered protocols.
     Loopback:  Disable
     RateShape: Disable
     QosProfile:QP1
     Ports:     33.     (Number of active ports=9)
        Flags:  (*) Active, (!) Disabled
                (B) BcastDisabled, (R) RateLimited, (L) Loopback
                (g) Load Share Group
        Untag:  *1    *2    *3    *4    *7    *8    *9     10    11    12   
                 13    14    15    16    17    18    19    20    21    22   
                 23    24    25    26    27    28    29    30    31    32   
                 49    50   
        Tagged: *5g   


* Summit400-48t:19 # show vlan dmz    
VLAN Interface[3-202] with name "DMZ" created by user
     Tagging:   802.1Q Tag 2
     Priority:  802.1P Priority 7 
     IP:        192.168.2.2/255.255.255.0    
     STPD:      s1(Disabled,Auto-bind) 
     Ignore-stp: Disabled on this vlan
     Ignore-bpdu: Disabled on this vlan
     Protocol:  Match all unfiltered protocols.
     Loopback:  Disable
     RateShape: Disable
     QosProfile:QP1
     Ports:     19.     (Number of active ports=3)
        Flags:  (*) Active, (!) Disabled
                (B) BcastDisabled, (R) RateLimited, (L) Loopback
                (g) Load Share Group
        Tagged: *5g   *33    34    35    36    37    38    39    40    41   
                 42    43    44    45    46    47    48    49    50   

* Summit400-48t:20 # show iproute

Ori Destination        Gateway         Mtr Flags       VLAN        Duration
*d  192.168.1.0/24     192.168.1.2     1   U------u--- Default     0d:8h:34m:03s
*d  192.168.2.0/24     192.168.2.2     1   U------u--- DMZ         0d:0h:43m:09s
*d  127.0.0.1/8        127.0.0.1       0   U-H----um-- Default     0d:8h:34m:03s

Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
            (dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
            (o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
            (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
            (s) Static, (*) Preferred route

Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
       (L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
       (P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
       (t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up

Mask distribution:
    1 routes at length  8           2 routes at length 24

Route origin distribution:
    3 routes from Direct      

Total number of routes = 3.
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
  • frustrated

Posted 4 years ago

  • 0
  • 1
Photo of simon bingham

simon bingham

  • 1,228 Points 1k badge 2x thumb
could be that your are tagging on the switch side on not on the firewall side, if you can connect your laptop to the firewall directly the firewall ports must be untagged. all your ports on the switch look to be tagged
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
I just actually tagged all the DMZ ports on the switch right before i made this post in hopes it helped the issue.  Prior to that all the ports in the DMZ, except for 5, were untagged.  5 has to be tagged because its in VLAN 1 and 2 and it houses my VM's im trying to put on the DMZ. 
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Jeremy

If I understand this correctly you want all of the internal VLAN traffic to go to the FW so it can then be routed back into the DMZ and to the internet.


In order to do this you need to make sure that ipforwarding is disabled as you do not want the switch to route between the DMZ and the internal VLAN.  You also need to tell the switch that the default gateway is the FW so if it needs to get out to any other subnet that it will hit the FW. Us the configure ipr add default <ipaddress>

The default gateways for each device should be the FW


Hope that helps

P
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
Ty for the reply Paul.  I think I might have confused it a bit :D  let me see if i can state my end goal better.

Default Vlan switch IP 192.168.1.2
DMZ Vlan switch IP 192.168.2.2
PFsense IP for Default to reach 192.168.1.1
PFsense IP for DMZ to reach 192.168.2.1

I want DMZ vlan traffic to only reach 192.168.2.1
i want Default Vlan traffic to only reach 192.168.1.1

I want to keep them separated from each other.  Once i can get the subnets to ping the right IP's on the switch I will configure PFsense to restrict the communication between vlans.  Right now I can only ping 192.168.1.1 from the switch.
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
From the Switch:

Summit400-48t:32 # ping 192.168.1.1Ping(ICMP) 192.168.1.1: 4 packets, 8 data bytes, interval= 1.
16 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0 ms
16 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0 ms

--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms
* Summit400-48t:33 # ping 192.168.2.1
Ping(ICMP) 192.168.2.1: 4 packets, 8 data bytes, interval= 1.

--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss


From the FW:
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.1PING 192.168.2.1 (192.168.2.1): 56 data bytes                                                                                                                                                                  
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.062 ms                                                                                                                                                     
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.035 ms                                                                                                                                                     
^C                                                                                                                                                                                                             
--- 192.168.2.1 ping statistics ---                                                                                                                                                                            
2 packets transmitted, 2 packets received, 0.0% packet loss                                                                                                                                                    
round-trip min/avg/max/stddev = 0.035/0.049/0.062/0.013 ms                                                                                                                                                     
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes                                                                                                                                                                  
ping: sendto: Host is down                                                                                                                                                                                     
ping: sendto: Host is down                                                                                                                                                                                     
^C
--- 192.168.2.2 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
(Edited)
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
ok so at this point the DMZ VLAN and the FW interface for DMZ are not talking. 

You mentioned " have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface.  " which as I interpret it you took the cable from the switch going into the DMZ VLAN and connected it to your laptop and things worked.

If that is correct then most likely you have a Tagging issue as the port in the DMZ is set to send and receive a tag but a PC doesn't usually have a tag and sends the packet without a tag.  If the FW received it and allowed you to go out then the FW most likely doesn't have a tag. 

I am making some assumptions best way to test is add the port to the DMZ without a tag.  for example config dmz add port 5 <return>

you can add it back tagged by entering the same command and add tag to it.

P
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
Paul thank you for the help!  

What you said makes perfect sense.  Port 5 though wasn't the one that needed untagged.  Port 5 is an aggregate link with 6.  It is the one going to my vm server that needed to be on both vlan 1 and 2.  However port 33 is the one that was cabled to the NIC on my pfsense firewall for Vlan2.  I untagged it and I'm able to ping :)
Photo of Jeremy Martin

Jeremy Martin

  • 122 Points 100 badge 2x thumb
I have no idea why though.  I had Port 33 untagged originally.  Probably something configured wrong on the PFsense FW when I had it untagged and through the grand scheme of trying to fix it i might have fixed that issue but screwed up something else.  At one point i was defying logic trying to get this to work cause logical solutions didnt seem to fix it lol.  

BTW do you know if my firmware is the latest?  I am unable to find anything that shows the latest firmware.
(Edited)
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Jeremy glad you got it working.  The firmware you have is the last build that was made for ExtremeWare.  That is the OS before our current OS, XOS

Thanks for posting and let us know if there is anything else we can do to help

P