This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: VLAN routing to wrong IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VLAN routing to wrong IP
VLAN routing to wrong IP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:27 PM
I currently have a Summit 400 48t switch that is behind a PFsense firewall. My PFsense firewall has 3 network cards in it two of which are connected to the switch. One is for the LAN (192.168.1.0) and the other is for the DMZ (192.168.2.0). I have configured a block of ports just for DMZ and gave it an IP of 192.168.2.2 and I configured a block of ports just for the LAN and gave it an IP of 192.168.1.1.
From the switch I am not able to ping 192.168.2.1. From the firewall I am unable to ping 192.168.2.2. From devices on the 192.168.2.0 subnet I am able to ping 192.168.2.2 but not 192.168.2.1.
I have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. When I cabled it back up to port 33 (first port on VLAN 2 192.168.2.0) I am no longer able to ping 192.168.2.1.
When I created a rule on PFSense to allow all traffic to DMZ I was able to ping 192.168.2.1 via my laptop while on 192.168.1.0 subnet but that was to be expected since I configured it to allow communication from any LAN. However trying to ping 192.168.2.1 from the switch still failed.
My setup is this:
Summit400-48t
Primary EW Ver: 7.8e.4.1 patch1-r4
PFSense 2.2.1 FW with 2 intel GB network cards one with a dual port. I am using LAN, WAN, DMZ (OPT1)
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to. The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.
It appears that the traffic on 192.168.2.0 is not being routed to 192.168.2.1 on the switch.
* Summit400-48t:18 # show vlan defaultVLAN Interface[0-200] with name "Default" created by user
Tagging: 802.1Q Tag 1
Priority: 802.1P Priority 7
IP: 192.168.1.2/255.255.255.0
STPD: s0(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 33. (Number of active ports=9)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *1 *2 *3 *4 *7 *8 *9 10 11 12
13 14 15 16 17 18 19 20 21 22
23 24 25 26 27 28 29 30 31 32
49 50
Tagged: *5g
* Summit400-48t:19 # show vlan dmz
VLAN Interface[3-202] with name "DMZ" created by user
Tagging: 802.1Q Tag 2
Priority: 802.1P Priority 7
IP: 192.168.2.2/255.255.255.0
STPD: s1(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 19. (Number of active ports=3)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *5g *33 34 35 36 37 38 39 40 41
42 43 44 45 46 47 48 49 50
* Summit400-48t:20 # show iproute
Ori Destination Gateway Mtr Flags VLAN Duration
*d 192.168.1.0/24 192.168.1.2 1 U------u--- Default 0d:8h:34m:03s
*d 192.168.2.0/24 192.168.2.2 1 U------u--- DMZ 0d:0h:43m:09s
*d 127.0.0.1/8 127.0.0.1 0 U-H----um-- Default 0d:8h:34m:03s
Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
(dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
(o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
(or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
(s) Static, (*) Preferred route
Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
(L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
(P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
(t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up
Mask distribution:
1 routes at length 8 2 routes at length 24
Route origin distribution:
3 routes from Direct
Total number of routes = 3.
From the switch I am not able to ping 192.168.2.1. From the firewall I am unable to ping 192.168.2.2. From devices on the 192.168.2.0 subnet I am able to ping 192.168.2.2 but not 192.168.2.1.
I have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. When I cabled it back up to port 33 (first port on VLAN 2 192.168.2.0) I am no longer able to ping 192.168.2.1.
When I created a rule on PFSense to allow all traffic to DMZ I was able to ping 192.168.2.1 via my laptop while on 192.168.1.0 subnet but that was to be expected since I configured it to allow communication from any LAN. However trying to ping 192.168.2.1 from the switch still failed.
My setup is this:
Summit400-48t
Primary EW Ver: 7.8e.4.1 patch1-r4
PFSense 2.2.1 FW with 2 intel GB network cards one with a dual port. I am using LAN, WAN, DMZ (OPT1)
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to. The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.
It appears that the traffic on 192.168.2.0 is not being routed to 192.168.2.1 on the switch.
* Summit400-48t:18 # show vlan defaultVLAN Interface[0-200] with name "Default" created by user
Tagging: 802.1Q Tag 1
Priority: 802.1P Priority 7
IP: 192.168.1.2/255.255.255.0
STPD: s0(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 33. (Number of active ports=9)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *1 *2 *3 *4 *7 *8 *9 10 11 12
13 14 15 16 17 18 19 20 21 22
23 24 25 26 27 28 29 30 31 32
49 50
Tagged: *5g
* Summit400-48t:19 # show vlan dmz
VLAN Interface[3-202] with name "DMZ" created by user
Tagging: 802.1Q Tag 2
Priority: 802.1P Priority 7
IP: 192.168.2.2/255.255.255.0
STPD: s1(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 19. (Number of active ports=3)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *5g *33 34 35 36 37 38 39 40 41
42 43 44 45 46 47 48 49 50
* Summit400-48t:20 # show iproute
Ori Destination Gateway Mtr Flags VLAN Duration
*d 192.168.1.0/24 192.168.1.2 1 U------u--- Default 0d:8h:34m:03s
*d 192.168.2.0/24 192.168.2.2 1 U------u--- DMZ 0d:0h:43m:09s
*d 127.0.0.1/8 127.0.0.1 0 U-H----um-- Default 0d:8h:34m:03s
Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
(dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
(o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
(or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
(s) Static, (*) Preferred route
Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
(L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
(P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
(t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up
Mask distribution:
1 routes at length 8 2 routes at length 24
Route origin distribution:
3 routes from Direct
Total number of routes = 3.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:53 PM
From the Switch:
Summit400-48t:32 # ping 192.168.1.1Ping(ICMP) 192.168.1.1: 4 packets, 8 data bytes, interval= 1.
16 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0 ms
16 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0 ms
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms
* Summit400-48t:33 # ping 192.168.2.1
Ping(ICMP) 192.168.2.1: 4 packets, 8 data bytes, interval= 1.
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
From the FW:
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.1PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.062 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.035 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.035/0.049/0.062/0.013 ms
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.2.2 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
Summit400-48t:32 # ping 192.168.1.1Ping(ICMP) 192.168.1.1: 4 packets, 8 data bytes, interval= 1.
16 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0 ms
16 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0 ms
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms
* Summit400-48t:33 # ping 192.168.2.1
Ping(ICMP) 192.168.2.1: 4 packets, 8 data bytes, interval= 1.
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
From the FW:
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.1PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: icmp_seq=0 ttl=64 time=0.062 ms
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.035 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.035/0.049/0.062/0.013 ms
[2.2.1-RELEASE][root@gateway.subspeaz.net]/root: ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.2.2 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:52 PM
Ty for the reply Paul. I think I might have confused it a bit let me see if i can state my end goal better.
Default Vlan switch IP 192.168.1.2
DMZ Vlan switch IP 192.168.2.2
PFsense IP for Default to reach 192.168.1.1
PFsense IP for DMZ to reach 192.168.2.1
I want DMZ vlan traffic to only reach 192.168.2.1
i want Default Vlan traffic to only reach 192.168.1.1
I want to keep them separated from each other. Once i can get the subnets to ping the right IP's on the switch I will configure PFsense to restrict the communication between vlans. Right now I can only ping 192.168.1.1 from the switch.
Default Vlan switch IP 192.168.1.2
DMZ Vlan switch IP 192.168.2.2
PFsense IP for Default to reach 192.168.1.1
PFsense IP for DMZ to reach 192.168.2.1
I want DMZ vlan traffic to only reach 192.168.2.1
i want Default Vlan traffic to only reach 192.168.1.1
I want to keep them separated from each other. Once i can get the subnets to ping the right IP's on the switch I will configure PFsense to restrict the communication between vlans. Right now I can only ping 192.168.1.1 from the switch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:44 PM
Hello Jeremy
If I understand this correctly you want all of the internal VLAN traffic to go to the FW so it can then be routed back into the DMZ and to the internet.
In order to do this you need to make sure that ipforwarding is disabled as you do not want the switch to route between the DMZ and the internal VLAN. You also need to tell the switch that the default gateway is the FW so if it needs to get out to any other subnet that it will hit the FW. Us the configure ipr add default
The default gateways for each device should be the FW
Hope that helps
P
If I understand this correctly you want all of the internal VLAN traffic to go to the FW so it can then be routed back into the DMZ and to the internet.
In order to do this you need to make sure that ipforwarding is disabled as you do not want the switch to route between the DMZ and the internal VLAN. You also need to tell the switch that the default gateway is the FW so if it needs to get out to any other subnet that it will hit the FW. Us the configure ipr add default
The default gateways for each device should be the FW
Hope that helps
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:40 PM
I just actually tagged all the DMZ ports on the switch right before i made this post in hopes it helped the issue. Prior to that all the ports in the DMZ, except for 5, were untagged. 5 has to be tagged because its in VLAN 1 and 2 and it houses my VM's im trying to put on the DMZ.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:34 PM
could be that your are tagging on the switch side on not on the firewall side, if you can connect your laptop to the firewall directly the firewall ports must be untagged. all your ports on the switch look to be tagged
