This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: VLAN routing to wrong IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VLAN routing to wrong IP
VLAN routing to wrong IP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 04:27 PM
I currently have a Summit 400 48t switch that is behind a PFsense firewall. My PFsense firewall has 3 network cards in it two of which are connected to the switch. One is for the LAN (192.168.1.0) and the other is for the DMZ (192.168.2.0). I have configured a block of ports just for DMZ and gave it an IP of 192.168.2.2 and I configured a block of ports just for the LAN and gave it an IP of 192.168.1.1.
From the switch I am not able to ping 192.168.2.1. From the firewall I am unable to ping 192.168.2.2. From devices on the 192.168.2.0 subnet I am able to ping 192.168.2.2 but not 192.168.2.1.
I have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. When I cabled it back up to port 33 (first port on VLAN 2 192.168.2.0) I am no longer able to ping 192.168.2.1.
When I created a rule on PFSense to allow all traffic to DMZ I was able to ping 192.168.2.1 via my laptop while on 192.168.1.0 subnet but that was to be expected since I configured it to allow communication from any LAN. However trying to ping 192.168.2.1 from the switch still failed.
My setup is this:
Summit400-48t
Primary EW Ver: 7.8e.4.1 patch1-r4
PFSense 2.2.1 FW with 2 intel GB network cards one with a dual port. I am using LAN, WAN, DMZ (OPT1)
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to. The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.
It appears that the traffic on 192.168.2.0 is not being routed to 192.168.2.1 on the switch.
* Summit400-48t:18 # show vlan defaultVLAN Interface[0-200] with name "Default" created by user
Tagging: 802.1Q Tag 1
Priority: 802.1P Priority 7
IP: 192.168.1.2/255.255.255.0
STPD: s0(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 33. (Number of active ports=9)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *1 *2 *3 *4 *7 *8 *9 10 11 12
13 14 15 16 17 18 19 20 21 22
23 24 25 26 27 28 29 30 31 32
49 50
Tagged: *5g
* Summit400-48t:19 # show vlan dmz
VLAN Interface[3-202] with name "DMZ" created by user
Tagging: 802.1Q Tag 2
Priority: 802.1P Priority 7
IP: 192.168.2.2/255.255.255.0
STPD: s1(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 19. (Number of active ports=3)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *5g *33 34 35 36 37 38 39 40 41
42 43 44 45 46 47 48 49 50
* Summit400-48t:20 # show iproute
Ori Destination Gateway Mtr Flags VLAN Duration
*d 192.168.1.0/24 192.168.1.2 1 U------u--- Default 0d:8h:34m:03s
*d 192.168.2.0/24 192.168.2.2 1 U------u--- DMZ 0d:0h:43m:09s
*d 127.0.0.1/8 127.0.0.1 0 U-H----um-- Default 0d:8h:34m:03s
Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
(dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
(o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
(or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
(s) Static, (*) Preferred route
Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
(L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
(P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
(t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up
Mask distribution:
1 routes at length 8 2 routes at length 24
Route origin distribution:
3 routes from Direct
Total number of routes = 3.
From the switch I am not able to ping 192.168.2.1. From the firewall I am unable to ping 192.168.2.2. From devices on the 192.168.2.0 subnet I am able to ping 192.168.2.2 but not 192.168.2.1.
I have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. When I cabled it back up to port 33 (first port on VLAN 2 192.168.2.0) I am no longer able to ping 192.168.2.1.
When I created a rule on PFSense to allow all traffic to DMZ I was able to ping 192.168.2.1 via my laptop while on 192.168.1.0 subnet but that was to be expected since I configured it to allow communication from any LAN. However trying to ping 192.168.2.1 from the switch still failed.
My setup is this:
Summit400-48t
Primary EW Ver: 7.8e.4.1 patch1-r4
PFSense 2.2.1 FW with 2 intel GB network cards one with a dual port. I am using LAN, WAN, DMZ (OPT1)
Tagged Vlans created for 192.168.1.0 and 192.168.2.0
Switch has 16 ports segregated just for the DMZ vlan 2 which is what this pfsense dmz NIC is cabled to. The other 33 ports are segregated just for vlan 1 LAN which manages the subnet 192.168.1.0.
Routing on switch is exactly like the LAN setup except for the IP's have changed for the subnet
DMZ NIC IP 192.168.2.1
Switch IP 192.168.2.2
LAN works fine.
WAN works fine.
It appears that the traffic on 192.168.2.0 is not being routed to 192.168.2.1 on the switch.
* Summit400-48t:18 # show vlan defaultVLAN Interface[0-200] with name "Default" created by user
Tagging: 802.1Q Tag 1
Priority: 802.1P Priority 7
IP: 192.168.1.2/255.255.255.0
STPD: s0(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 33. (Number of active ports=9)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Untag: *1 *2 *3 *4 *7 *8 *9 10 11 12
13 14 15 16 17 18 19 20 21 22
23 24 25 26 27 28 29 30 31 32
49 50
Tagged: *5g
* Summit400-48t:19 # show vlan dmz
VLAN Interface[3-202] with name "DMZ" created by user
Tagging: 802.1Q Tag 2
Priority: 802.1P Priority 7
IP: 192.168.2.2/255.255.255.0
STPD: s1(Disabled,Auto-bind)
Ignore-stp: Disabled on this vlan
Ignore-bpdu: Disabled on this vlan
Protocol: Match all unfiltered protocols.
Loopback: Disable
RateShape: Disable
QosProfile:QP1
Ports: 19. (Number of active ports=3)
Flags: (*) Active, (!) Disabled
(B) BcastDisabled, (R) RateLimited, (L) Loopback
(g) Load Share Group
Tagged: *5g *33 34 35 36 37 38 39 40 41
42 43 44 45 46 47 48 49 50
* Summit400-48t:20 # show iproute
Ori Destination Gateway Mtr Flags VLAN Duration
*d 192.168.1.0/24 192.168.1.2 1 U------u--- Default 0d:8h:34m:03s
*d 192.168.2.0/24 192.168.2.2 1 U------u--- DMZ 0d:0h:43m:09s
*d 127.0.0.1/8 127.0.0.1 0 U-H----um-- Default 0d:8h:34m:03s
Origin(OR): (b) BlackHole, (bo) BOOTP, (ct) CBT, (d) Direct, (df) DownIF
(dv) DVMRP, (h) Hardcoded, (i) ICMP, (mo) MOSPF, (o) OSPF
(o1) OSPFExt1, (o2) OSPFExt2, (oa) OSPFIntra, (oe) OSPFAsExt
(or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM, (r) RIP, (ra) RtAdvrt
(s) Static, (*) Preferred route
Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route
(L) Direct LDP LSP, (l) Indirect LDP LSP, (m) Multicast
(P) LPM-routing, (R) Modified, (S) Static, (T) Direct RSVP-TE LSP
(t) Indirect RSVP-TE LSP, (u) Unicast, (U) Up
Mask distribution:
1 routes at length 8 2 routes at length 24
Route origin distribution:
3 routes from Direct
Total number of routes = 3.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 05:47 PM
Hey Jeremy glad you got it working. The firmware you have is the last build that was made for ExtremeWare. That is the OS before our current OS, XOS
Thanks for posting and let us know if there is anything else we can do to help
P
Thanks for posting and let us know if there is anything else we can do to help
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 05:40 PM
I have no idea why though. I had Port 33 untagged originally. Probably something configured wrong on the PFsense FW when I had it untagged and through the grand scheme of trying to fix it i might have fixed that issue but screwed up something else. At one point i was defying logic trying to get this to work cause logical solutions didnt seem to fix it lol.
BTW do you know if my firmware is the latest? I am unable to find anything that shows the latest firmware.
BTW do you know if my firmware is the latest? I am unable to find anything that shows the latest firmware.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 05:38 PM
Paul thank you for the help!
What you said makes perfect sense. Port 5 though wasn't the one that needed untagged. Port 5 is an aggregate link with 6. It is the one going to my vm server that needed to be on both vlan 1 and 2. However port 33 is the one that was cabled to the NIC on my pfsense firewall for Vlan2. I untagged it and I'm able to ping 🙂
What you said makes perfect sense. Port 5 though wasn't the one that needed untagged. Port 5 is an aggregate link with 6. It is the one going to my vm server that needed to be on both vlan 1 and 2. However port 33 is the one that was cabled to the NIC on my pfsense firewall for Vlan2. I untagged it and I'm able to ping 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-25-2015 05:06 PM
ok so at this point the DMZ VLAN and the FW interface for DMZ are not talking.
You mentioned " have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. " which as I interpret it you took the cable from the switch going into the DMZ VLAN and connected it to your laptop and things worked.
If that is correct then most likely you have a Tagging issue as the port in the DMZ is set to send and receive a tag but a PC doesn't usually have a tag and sends the packet without a tag. If the FW received it and allowed you to go out then the FW most likely doesn't have a tag.
I am making some assumptions best way to test is add the port to the DMZ without a tag. for example config dmz add port 5
you can add it back tagged by entering the same command and add tag to it.
P
You mentioned " have validated it is not the PFsense firewall as I directly connected a laptop to the DMZ cable on the 192.168.2.1 NIC from the firewall, gave myself a static IP, and i was able to browse the web via that interface. " which as I interpret it you took the cable from the switch going into the DMZ VLAN and connected it to your laptop and things worked.
If that is correct then most likely you have a Tagging issue as the port in the DMZ is set to send and receive a tag but a PC doesn't usually have a tag and sends the packet without a tag. If the FW received it and allowed you to go out then the FW most likely doesn't have a tag.
I am making some assumptions best way to test is add the port to the DMZ without a tag. for example config dmz add port 5
you can add it back tagged by entering the same command and add tag to it.
P
