Only one VLAN can access Internet

Unanswered Question
Apr 15th, 2010
User Badges:

Greetings here is my test setup:


INTERNET (public IP)

               |

Pfsense firewall (192.168.1.1)

               |
Pfsense firewall #2 (10.1.1.254)

               |

Cisco 871

fa4.100 (10.1.1.1)

fa4.110 (10.1.10.1)

fa4.120 (10.1.20.1)

fa4.130 (10.1.30.1)

fa4.140 (10.1.40.1)

               |

Cisco 2950

fa0/1 (vlan 100) - to pfsense fw#2

fa0/2 (vlan 100) - test pc

fa0/7 (vlan 110) - test pc

fa0/24 - TRUNK to Cisco 871

     |                    |

Test PC1          TestPC2

10.1.1.100       10.1.10.100

255.255.255.0  255.255.255.0

10.1.1.1 (gw)     10.1.10.1 (gw)

10.1.1.254 (dns) 10.1.1.254 (dns)


The issue is Test PC1 can connect to the Internet, however Test PC2 cannot. I would like all pc's to access Internet then start to control resources through the use of ACL's. Below is the config's of the router, switch and both Pfsense boxes are running rip along with the 871. Please advise and thanks ahead of time for your help. Yes I know this is a vanilla config and there isn't much I have done in the way of security. Gotta make it work first.


Router#sh run
Building configuration...


Current configuration : 1481 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 HIDDEN
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
username admin password 0 HIDDEN
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface FastEthernet4.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet4.110
encapsulation dot1Q 110
ip address 10.1.10.1 255.255.255.0
!
interface FastEthernet4.120
encapsulation dot1Q 120
ip address 10.1.20.1 255.255.255.0
!
interface FastEthernet4.130
encapsulation dot1Q 130
ip address 10.1.30.1 255.255.255.0
!
interface FastEthernet4.140
encapsulation dot1Q 140
ip address 10.1.40.1 255.255.255.0
!
interface Vlan1
no ip address
!
router rip
network 10.0.0.0
network 192.168.1.0
!
ip default-gateway 10.1.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.0.0 255.0.0.0 10.1.1.0
ip route 192.168.1.0 255.255.255.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password HIDDEN
login
!
scheduler max-task-time 5000
end


Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    down
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES manual up                    up
FastEthernet4.100          10.1.1.1        YES manual up                    up
FastEthernet4.110          10.1.10.1       YES manual up                    up
FastEthernet4.120          10.1.20.1       YES manual up                    up
FastEthernet4.130          10.1.30.1       YES manual up                    up
FastEthernet4.140          10.1.40.1       YES manual up                    up
Vlan1                      unassigned      YES unset  up                    up


Router#sh vlans


Virtual LAN ID:  1 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4


This is configured as native Vlan for the following interface(s) :
FastEthernet4


   Protocols Configured:   Address:              Received:        Transmitted:
        Other                                           0                1466


   4401 packets, 847838 bytes input
   1466 packets, 549268 bytes output


Virtual LAN ID:  100 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4.100


   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.1.1                 21652               22423
        Other                                           0                  67


   21652 packets, 2239446 bytes input
   22490 packets, 1551269 bytes output


Virtual LAN ID:  110 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4.110


   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.10.1                 2498                1461
        Other                                           0                 151


   2498 packets, 253466 bytes input
   1612 packets, 829266 bytes output


Virtual LAN ID:  120 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4.120


   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.20.1                    0                 673
        Other                                           0                   5


   0 packets, 0 bytes input
   678 packets, 92340 bytes output


Virtual LAN ID:  130 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4.130


   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.30.1                    0                 675
        Other                                           0                   5


   0 packets, 0 bytes input
   680 packets, 92640 bytes output


Virtual LAN ID:  140 (IEEE 802.1Q Encapsulation)


   vLAN Trunk Interface:   FastEthernet4.140


   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.40.1                    0                 673
        Other                                           0                   5


   0 packets, 0 bytes input
   678 packets, 92320 bytes output


Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route


Gateway of last resort is 192.168.1.1 to network 0.0.0.0


     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       10.1.10.0/24 is directly connected, FastEthernet4.110
C       10.1.1.0/24 is directly connected, FastEthernet4.100
S       10.0.0.0/8 [1/0] via 10.1.1.0
C       10.1.30.0/24 is directly connected, FastEthernet4.130
C       10.1.20.0/24 is directly connected, FastEthernet4.120
C       10.1.40.0/24 is directly connected, FastEthernet4.140
S    192.168.1.0/24 [1/0] via 10.1.1.254
S*   0.0.0.0/0 [1/0] via 192.168.1.1


Router#debug ip rip
RIP protocol debugging is on
Router#
*Mar  4 00:15:43.871: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar  4 00:15:43.871:      10.1.1.0 in 1 hops
*Mar  4 00:15:43.871:      192.168.1.0 in 1 hops
*Mar  4 00:15:47.271: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar  4 00:15:47.271: RIP: build update entries
*Mar  4 00:15:47.271:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:52.056: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.120 (10.1.20.1)
*Mar  4 00:15:52.056: RIP: build update entries
*Mar  4 00:15:52.056:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.40.0 metric 1
*Mar  4 00:15:58.728: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.110 (10.1.10.1)
*Mar  4 00:15:58.728: RIP: build update entries
*Mar  4 00:15:58.728:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.40.0 metric 1
*Mar  4 00:15:59.417: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.100 (10.1.1.1)
*Mar  4 00:15:59.417: RIP: build update entries
*Mar  4 00:15:59.417:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.40.0 metric 1
*Mar  4 00:16:00.681: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.130 (10.1.30.1)
*Mar  4 00:16:00.681: RIP: build update entries
*Mar  4 00:16:00.681:   subnet 10.1.1.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.10.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.20.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.40.0 metric 1
*Mar  4 00:16:13.478: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar  4 00:16:13.478: RIP: build update entries
*Mar  4 00:16:13.478:   subnet 10.1.1.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.10.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.20.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.30.0 metric 1
*Mar  4 00:16:13.870: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar  4 00:16:13.870:      10.1.1.0 in 1 hops
*Mar  4 00:16:13.870:      192.168.1.0 in 1 hops


Router#ping 10.1.1.254


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 192.168.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 74.125.67.99


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.67.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms




Switch#sh run
Building configuration...


Current configuration : 1376 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access


...


!
interface FastEthernet0/7
switchport access vlan 110
switchport mode access
!

...


!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
line vty 5 15
!
!
end


Switch#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES unset  administratively down down
Vlan100                    10.1.1.2        YES manual up                    up
FastEthernet0/1            unassigned      YES unset  up                    up
FastEthernet0/2            unassigned      YES unset  up                    up
FastEthernet0/3            unassigned      YES unset  down                  down
FastEthernet0/4            unassigned      YES unset  down                  down
FastEthernet0/5            unassigned      YES unset  down                  down
FastEthernet0/6            unassigned      YES unset  down                  down
FastEthernet0/7            unassigned      YES unset  up                    up
FastEthernet0/8            unassigned      YES unset  down                  down
FastEthernet0/9            unassigned      YES unset  down                  down
FastEthernet0/10           unassigned      YES unset  down                  down
FastEthernet0/11           unassigned      YES unset  down                  down
FastEthernet0/12           unassigned      YES unset  down                  down
FastEthernet0/13           unassigned      YES unset  down                  down
FastEthernet0/14           unassigned      YES unset  down                  down
FastEthernet0/15           unassigned      YES unset  down                  down
FastEthernet0/16           unassigned      YES unset  down                  down
FastEthernet0/17           unassigned      YES unset  down                  down
FastEthernet0/18           unassigned      YES unset  down                  down
FastEthernet0/19           unassigned      YES unset  down                  down
FastEthernet0/20           unassigned      YES unset  down                  down
FastEthernet0/21           unassigned      YES unset  down                  down
FastEthernet0/22           unassigned      YES unset  down                  down
FastEthernet0/23           unassigned      YES unset  down                  down
FastEthernet0/24           unassigned      YES unset  up                    up


Switch#sh int trunk


Port        Mode         Encapsulation  Status        Native vlan
Fa0/24      on           802.1q         trunking      1


Port      Vlans allowed on trunk
Fa0/24      1-4094


Port        Vlans allowed and active in management domain
Fa0/24      1,100,110


Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      1,100,110


Switch#ping 10.1.1.254


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch#ping 192.168.1.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)



Type escape sequence to abort.
Tracing the route to 192.168.1.1


  1  *  *  *
  2  *  *  *
....


Test PC 1 can ping anything & access the Internet (currently on this pc now)

Test PC 2 can ping 10.1.10.1 and can ping 10.1.1.1 & 10.1.1.254, however it cannot ping 192.168.1.1, nor anything on the Internet.

Again pfsense routers are Running RIPv1 (pfsense#2 on both lan&wan, pfsense#1 on lan only). Updates are being recieved as shown above.

Any further information please let me know. Thanks again.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Thu, 04/15/2010 - 15:36
User Badges:
  • Blue, 1500 points or more

Have you checked if the first firewall (192.168.1.1) has a route back to all the vlans?


Are you sure there are no filters in place that would block the pings.


HTH


Victor

gtconline Thu, 04/15/2010 - 15:54
User Badges:

Yes on both accounts. The 192.168.1.1 router is performing RIP and I have verified the routes are being shared. From the router I can ping this router and the Internet, however from the switch I cannot, nor from any vlan besides 10.1.1.x. I have tried applying ips to each vlan and that did not change the results.

lamav Thu, 04/15/2010 - 16:07
User Badges:
  • Blue, 1500 points or more

Interesting...


When you ping the 192 address from the cisco router, do you run an extended ping and source the vlan that cannot reach the Internet?

gtconline Thu, 04/15/2010 - 17:45
User Badges:

No I was not. Here are the results:


Router#ping
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]: 25
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 25, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.10.1
.........................
Success rate is 0 percent (0/25)

lamav Thu, 04/15/2010 - 17:56
User Badges:
  • Blue, 1500 points or more

Well, there you have it....you have to make sure that the router has a route to the 192 network and a route to the vlan...which we know it does.


Then you have to make sure that firewall 2 has a route to 192, which we know it does, and that it has a route back to the vlan - that we DONT know.


Then, you must verify that firewall 1 has a route back to the vlan...VERIFY again


You cant just view RIP messages going back and forth and assume that all is well. You must be able to examine the routing table for each appliance -- hop by hop -- and make sure there is the correct route entry(ies).


HTH


Victor

gtconline Thu, 04/15/2010 - 17:56
User Badges:

Further info:


I tried to hit 10.1.1.254 (LAN side of pfsense#2) and was successful. So the problem is with the pfsense box?!? Maybe?


Router#ping
Protocol [ip]:
Target IP address: 10.1.1.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
Packet sent with a source address of 10.1.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

lamav Thu, 04/15/2010 - 18:05
User Badges:
  • Blue, 1500 points or more

Jim:


Please verify the routing table entries as I recommended before.


Thanks

Shahaludeen N Thu, 04/15/2010 - 17:55
User Badges:

Hi,


Definitely your Switch cannot ping any network other than 10.1.1.0/24 as the switch doesn't have a default gateway configured.


For the router it doesnt seem like a routing issue, but it does seem like a NAT  issue. Who is doing the NAT. Have you checked there is a NAT entry for 10.1.10.0/24 network?.



Regards,

Shahal.

lamav Thu, 04/15/2010 - 18:01
User Badges:
  • Blue, 1500 points or more

Shah:


NAT issue? He cant PING the 192 address on firewall 1 from the router when he sources the vlans L3 interface. How can this have anything to do with NAT?

gtconline Thu, 04/15/2010 - 18:26
User Badges:

lmav I think you are right. I am working on confirming this, however I think it might be pfsense#2 altogether. Pfsense allows vlans and I was playing with them, yet I think the issue may be the old vlan info still cached in the routing table. I will research & confirm. But here is the info for now in case you are wondering:


On PFSENSE#2 (10.1.1.254)

# netstat -r
Routing tables


Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            REMOVED      UGS         0    47394   bge1
10.1.1.0           link#1             UC          0        0   bge0
10.1.1.100         00:26:18:9f:16:c2  UHLW        1     2544   bge0   1167
gw                 00:24:8c:b3:1e:f3  UHLW        1        0    lo0
10.1.10.0          10.1.1.1           UGS         0      764   bge0
10.1.20.0          10.1.1.1           UGS         0        0   bge0
10.1.30.0          10.1.1.1           UGS         0        0   bge0
10.1.40.0          10.1.1.1           UGS         0        0   bge0
localhost          localhost          UH          1        0    lo0
192.168.1.0        link#2             UC          0        0   bge1
REMOVED      00:1a:92:6c:77:ce  UHLW        2      166   bge1    833
192.168.1.101      00:b0:d0:fe:c0:14  UHLW        1        0   bge1   1199
REMOVED   localhost          UGHS        0        0    lo0


Internet6:
Destination        Gateway            Flags      Netif Expire
::1                ::1                UHL         lo0
fe80::%bge0        link#1             UC         bge0
fe80::224:8cff:feb 00:24:8c:b3:1e:f3  UHL         lo0
fe80::%bge1        link#2             UC         bge1
fe80::224:8cff:feb 00:24:8c:b3:1f:c5  UHL         lo0
fe80::%lo0         fe80::1%lo0        U           lo0
fe80::1%lo0        link#3             UHL         lo0
fe80::%vlan0       link#7             UC        vlan0
fe80::224:8cff:feb 00:24:8c:b3:1e:f3  UHL         lo0
fe80::%vlan1       link#8             UC        vlan1
fe80::224:8cff:feb 00:24:8c:b3:1e:f3  UHL         lo0
ff01:1::           link#1             UC         bge0
ff01:2::           link#2             UC         bge1
ff01:3::           ::1                UC          lo0
ff01:7::           link#7             UC        vlan0
ff01:8::           link#8             UC        vlan1
ff02::%bge0        link#1             UC         bge0
ff02::%bge1        link#2             UC         bge1
ff02::%lo0         ::1                UC          lo0
ff02::%vlan0       link#7             UC        vlan0
ff02::%vlan1       link#8             UC        vlan1


On PFSENSE #1 (192.168.1.1)


# netstat -r

Routing tables


Internet:

Destination        Gateway            Flags    Refs      Use  Netif Expire

default            gw                 UGS         0 1126922196   bge1

10.1.1.0           192.168.1.130      UGS         0       11   bge0

10.1.10.0          192.168.1.130      UGS         0       27   bge0

10.1.20.0          192.168.1.130      UGS         0        0   bge0

10.1.30.0          192.168.1.130      UGS         0        0   bge0

10.1.40.0          192.168.1.130      UGS         0        0   bge0

localhost          localhost          UH          0   843070    lo0

192.168.1.0        link#1             UC          0        0   bge0

HOSTNAMEREMOVED           00:1a:92:6c:77:ce  UHLW        1      462    lo0

192.168.1.10       00:00:4c:0f:79:61  UHLW        1       73   bge0   1096

192.168.1.101      00:b0:d0:fe:c0:14  UHLW        1   227367   bge0   1198

192.168.1.124      00:01:02:85:28:d5  UHLW        1 58368056   bge0   1199

192.168.1.127      00:1b:b9:a7:29:28  UHLW        1    82077   bge0    890

192.168.1.130      00:24:8c:b3:1f:c5  UHLW        6    96024   bge0    579

192.168.1.133      00:22:15:45:ce:87  UHLW        1   703883   bge0   1190

192.168.1.136      00:0c:f1:eb:17:99  UHLW        1     6517   bge0   1194

192.168.1.139      00:0d:87:a9:17:c9  UHLW        1   766386   bge0   1193

192.168.1.143      00:26:bb:68:77:bc  UHLW        1  2503534   bge0    193

192.168.1.144      00:07:e9:43:9f:fa  UHLW        1        1   bge0    912

192.168.1.145      00:19:db:6b:6b:3b  UHLW        1   746042   bge0   1141

192.168.1.147      00:1b:b9:8b:ee:b4  UHLW        1   108508   bge0    944

192.168.1.148      00:1c:25:86:0b:67  UHLW        1        7   bge0    303

CannonBCA0B9       00:00:85:bc:a0:b9  UHLW        1        1   bge0   1104

IP REMOVED 4 SECURITY REASONS   link#2             UC          0       23   bge1

gw                 00:0e:38:ef:91:06  UHLW        2    91570   bge1   1199

cache1             00:e0:81:63:b1:f0  UHLW        1    23796   bge1   1142


Internet6:

Destination        Gateway            Flags      Netif Expire

::1                ::1                UHL         lo0

fe80::%bge0        link#1             UC         bge0

fe80::21a:92ff:fe6 00:1a:92:6c:77:ce  UHL         lo0

fe80::%bge1        link#2             UC         bge1

fe80::21a:92ff:fe6 00:1a:92:6c:78:85  UHL         lo0

fe80::%lo0         fe80::1%lo0        U           lo0

fe80::1%lo0        link#5             UHL         lo0

ff01:1::           link#1             UC         bge0

ff01:2::           link#2             UC         bge1

ff01:5::           ::1                UC          lo0

ff02::%bge0        link#1             UC         bge0

ff02::%bge1        link#2             UC         bge1

ff02::%lo0         ::1                UC          lo0


I will update ASAP & award points. Thanks for your help again and again.

lamav Thu, 04/15/2010 - 18:37
User Badges:
  • Blue, 1500 points or more

OK, Jim....sounds good. Verifying the routing is a first step....and you take it from there...


Victor

Shahaludeen N Thu, 04/15/2010 - 19:29
User Badges:

Lamav,



My reasoning being that RIP updates to FW2 contain all the networks of the router. Also being that the 10.1.1.0 network is behind FW2 and if FW1 is reaching that network, it might reach the others as well (as RIP is running between them).


I just thought that the FW2 might be doing the NATing, and also might be the FW2 will not allow untranslated packets to go through( I am not sure, I just guessed, although most firewalls allow untranslated packets to go through). If that is the case then even the router cannot ping FW1 without the NAT entry being there. I didn't mean that routing is definitely not the cause, it can be, just that I wanted to get his attention to the NAT problem as well.



I can see that my initial guess is right as we can see both Firewalls know the way to reach 10.1.10.0 network.


Also Jim specified that he didn't configure any security stuff, so I completely eliminated those thoughts from my decision.



Regards,

Shahal

lamav Thu, 04/15/2010 - 19:44
User Badges:
  • Blue, 1500 points or more

"My reasoning being that RIP updates to FW2 contain all the networks of the router. Also being that the 10.1.1.0 network is behind FW2 and if FW1 is reaching that network, it might reach the others as well (as RIP is running between them)."


Perhaps, but that is precisely why I asked him to verify the routing. One should take a few minutes to verify the obvious before you start going on what may end up being a wild goose chase. If its not the routing, then you move on to the next possibility.


And anyway, all the routing updates show is that the router is sending the updates, it doesnt mean the firewall is accepting the routes and placing them in the routing table -- or that some routing conflict doesnt otherwise exist.



"I just thought that the FW2 might be doing the NATing, and also might be the FW2 will not allow untranslated packets to go through( I am not sure, I just guessed, although most firewalls allow untranslated packets to go through). If that is the case then even the router cannot ping FW1 without the NAT entry being there. I didn't mean that routing is definitely not the cause, it can be, just that I wanted to get his attention to the NAT problem as well."


I'm sorry, but I still dont get your logic.



"I can see that my initial guess is right as we can see both Firewalls know the way to reach 10.1.10.0 network."


That remains to be seen.

gtconline Mon, 04/19/2010 - 14:21
User Badges:

I finally got back to working with this today. My apologies about being so aloof.


I was able to verify it is a routing problem. Here is how:


DSL(public IP)

     |

Pfsense #2 (WAN - PPPoE / LAN - 10.1.1.254)

     |

Cisco 871 (same as before)

fa4.100 (10.1.1.1)

fa4.110 (10.1.10.1)

...

     |

Cisco 2950

vlan 100 (10.1.1.2)

vlan 110



Hosts from vlan 100 can ping anything (even google)

Hosts from vlan 110 can ping 10.1.1.1 & 10.1.1.254, however they cannot ping the public IP, nor can they ping google, etc...


RIP is still being used and updates are still being processed. I am more confused than ever now.

Shahaludeen N Tue, 04/20/2010 - 19:33
User Badges:

Can you check if you are able to ping pfsense#2 WAN IP(192.168.1.130).


Regards,

Shahal.

Actions

This Discussion