cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5233
Views
0
Helpful
16
Replies

Only one VLAN can access Internet

gtconline
Level 1
Level 1

Greetings here is my test setup:

INTERNET (public IP)

               |

Pfsense firewall (192.168.1.1)

               |
Pfsense firewall #2 (10.1.1.254)

               |

Cisco 871

fa4.100 (10.1.1.1)

fa4.110 (10.1.10.1)

fa4.120 (10.1.20.1)

fa4.130 (10.1.30.1)

fa4.140 (10.1.40.1)

               |

Cisco 2950

fa0/1 (vlan 100) - to pfsense fw#2

fa0/2 (vlan 100) - test pc

fa0/7 (vlan 110) - test pc

fa0/24 - TRUNK to Cisco 871

     |                    |

Test PC1          TestPC2

10.1.1.100       10.1.10.100

255.255.255.0  255.255.255.0

10.1.1.1 (gw)     10.1.10.1 (gw)

10.1.1.254 (dns) 10.1.1.254 (dns)

The issue is Test PC1 can connect to the Internet, however Test PC2 cannot. I would like all pc's to access Internet then start to control resources through the use of ACL's. Below is the config's of the router, switch and both Pfsense boxes are running rip along with the 871. Please advise and thanks ahead of time for your help. Yes I know this is a vanilla config and there isn't much I have done in the way of security. Gotta make it work first.

Router#sh run
Building configuration...

Current configuration : 1481 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 HIDDEN
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
username admin password 0 HIDDEN
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface FastEthernet4.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet4.110
encapsulation dot1Q 110
ip address 10.1.10.1 255.255.255.0
!
interface FastEthernet4.120
encapsulation dot1Q 120
ip address 10.1.20.1 255.255.255.0
!
interface FastEthernet4.130
encapsulation dot1Q 130
ip address 10.1.30.1 255.255.255.0
!
interface FastEthernet4.140
encapsulation dot1Q 140
ip address 10.1.40.1 255.255.255.0
!
interface Vlan1
no ip address
!
router rip
network 10.0.0.0
network 192.168.1.0
!
ip default-gateway 10.1.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.0.0 255.0.0.0 10.1.1.0
ip route 192.168.1.0 255.255.255.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password HIDDEN
login
!
scheduler max-task-time 5000
end

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    down
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              unassigned      YES manual up                    up
FastEthernet4.100          10.1.1.1        YES manual up                    up
FastEthernet4.110          10.1.10.1       YES manual up                    up
FastEthernet4.120          10.1.20.1       YES manual up                    up
FastEthernet4.130          10.1.30.1       YES manual up                    up
FastEthernet4.140          10.1.40.1       YES manual up                    up
Vlan1                      unassigned      YES unset  up                    up

Router#sh vlans

Virtual LAN ID:  1 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4

This is configured as native Vlan for the following interface(s) :
FastEthernet4

   Protocols Configured:   Address:              Received:        Transmitted:
        Other                                           0                1466

   4401 packets, 847838 bytes input
   1466 packets, 549268 bytes output

Virtual LAN ID:  100 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4.100

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.1.1                 21652               22423
        Other                                           0                  67

   21652 packets, 2239446 bytes input
   22490 packets, 1551269 bytes output

Virtual LAN ID:  110 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4.110

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.10.1                 2498                1461
        Other                                           0                 151

   2498 packets, 253466 bytes input
   1612 packets, 829266 bytes output

Virtual LAN ID:  120 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4.120

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.20.1                    0                 673
        Other                                           0                   5

   0 packets, 0 bytes input
   678 packets, 92340 bytes output

Virtual LAN ID:  130 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4.130

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.30.1                    0                 675
        Other                                           0                   5

   0 packets, 0 bytes input
   680 packets, 92640 bytes output

Virtual LAN ID:  140 (IEEE 802.1Q Encapsulation)

   vLAN Trunk Interface:   FastEthernet4.140

   Protocols Configured:   Address:              Received:        Transmitted:
           IP              10.1.40.1                    0                 673
        Other                                           0                   5

   0 packets, 0 bytes input
   678 packets, 92320 bytes output

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       10.1.10.0/24 is directly connected, FastEthernet4.110
C       10.1.1.0/24 is directly connected, FastEthernet4.100
S       10.0.0.0/8 [1/0] via 10.1.1.0
C       10.1.30.0/24 is directly connected, FastEthernet4.130
C       10.1.20.0/24 is directly connected, FastEthernet4.120
C       10.1.40.0/24 is directly connected, FastEthernet4.140
S    192.168.1.0/24 [1/0] via 10.1.1.254
S*   0.0.0.0/0 [1/0] via 192.168.1.1

Router#debug ip rip
RIP protocol debugging is on
Router#
*Mar  4 00:15:43.871: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar  4 00:15:43.871:      10.1.1.0 in 1 hops
*Mar  4 00:15:43.871:      192.168.1.0 in 1 hops
*Mar  4 00:15:47.271: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar  4 00:15:47.271: RIP: build update entries
*Mar  4 00:15:47.271:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:47.271:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:52.056: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.120 (10.1.20.1)
*Mar  4 00:15:52.056: RIP: build update entries
*Mar  4 00:15:52.056:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:52.056:   subnet 10.1.40.0 metric 1
*Mar  4 00:15:58.728: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.110 (10.1.10.1)
*Mar  4 00:15:58.728: RIP: build update entries
*Mar  4 00:15:58.728:   subnet 10.1.1.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:58.728:   subnet 10.1.40.0 metric 1
*Mar  4 00:15:59.417: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.100 (10.1.1.1)
*Mar  4 00:15:59.417: RIP: build update entries
*Mar  4 00:15:59.417:   subnet 10.1.10.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.20.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.30.0 metric 1
*Mar  4 00:15:59.417:   subnet 10.1.40.0 metric 1
*Mar  4 00:16:00.681: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.130 (10.1.30.1)
*Mar  4 00:16:00.681: RIP: build update entries
*Mar  4 00:16:00.681:   subnet 10.1.1.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.10.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.20.0 metric 1
*Mar  4 00:16:00.681:   subnet 10.1.40.0 metric 1
*Mar  4 00:16:13.478: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar  4 00:16:13.478: RIP: build update entries
*Mar  4 00:16:13.478:   subnet 10.1.1.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.10.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.20.0 metric 1
*Mar  4 00:16:13.478:   subnet 10.1.30.0 metric 1
*Mar  4 00:16:13.870: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar  4 00:16:13.870:      10.1.1.0 in 1 hops
*Mar  4 00:16:13.870:      192.168.1.0 in 1 hops

Router#ping 10.1.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 74.125.67.99

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.67.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms

Switch#sh run
Building configuration...

Current configuration : 1376 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access

...

!
interface FastEthernet0/7
switchport access vlan 110
switchport mode access
!

...

!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
line vty 5 15
!
!
end

Switch#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES unset  administratively down down
Vlan100                    10.1.1.2        YES manual up                    up
FastEthernet0/1            unassigned      YES unset  up                    up
FastEthernet0/2            unassigned      YES unset  up                    up
FastEthernet0/3            unassigned      YES unset  down                  down
FastEthernet0/4            unassigned      YES unset  down                  down
FastEthernet0/5            unassigned      YES unset  down                  down
FastEthernet0/6            unassigned      YES unset  down                  down
FastEthernet0/7            unassigned      YES unset  up                    up
FastEthernet0/8            unassigned      YES unset  down                  down
FastEthernet0/9            unassigned      YES unset  down                  down
FastEthernet0/10           unassigned      YES unset  down                  down
FastEthernet0/11           unassigned      YES unset  down                  down
FastEthernet0/12           unassigned      YES unset  down                  down
FastEthernet0/13           unassigned      YES unset  down                  down
FastEthernet0/14           unassigned      YES unset  down                  down
FastEthernet0/15           unassigned      YES unset  down                  down
FastEthernet0/16           unassigned      YES unset  down                  down
FastEthernet0/17           unassigned      YES unset  down                  down
FastEthernet0/18           unassigned      YES unset  down                  down
FastEthernet0/19           unassigned      YES unset  down                  down
FastEthernet0/20           unassigned      YES unset  down                  down
FastEthernet0/21           unassigned      YES unset  down                  down
FastEthernet0/22           unassigned      YES unset  down                  down
FastEthernet0/23           unassigned      YES unset  down                  down
FastEthernet0/24           unassigned      YES unset  up                    up

Switch#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/24      1-4094

Port        Vlans allowed and active in management domain
Fa0/24      1,100,110

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      1,100,110

Switch#ping 10.1.1.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Type escape sequence to abort.
Tracing the route to 192.168.1.1

  1  *  *  *
  2  *  *  *
....

Test PC 1 can ping anything & access the Internet (currently on this pc now)

Test PC 2 can ping 10.1.10.1 and can ping 10.1.1.1 & 10.1.1.254, however it cannot ping 192.168.1.1, nor anything on the Internet.

Again pfsense routers are Running RIPv1 (pfsense#2 on both lan&wan, pfsense#1 on lan only). Updates are being recieved as shown above.

Any further information please let me know. Thanks again.

16 Replies 16

I finally got back to working with this today. My apologies about being so aloof.

I was able to verify it is a routing problem. Here is how:

DSL(public IP)

     |

Pfsense #2 (WAN - PPPoE / LAN - 10.1.1.254)

     |

Cisco 871 (same as before)

fa4.100 (10.1.1.1)

fa4.110 (10.1.10.1)

...

     |

Cisco 2950

vlan 100 (10.1.1.2)

vlan 110

Hosts from vlan 100 can ping anything (even google)

Hosts from vlan 110 can ping 10.1.1.1 & 10.1.1.254, however they cannot ping the public IP, nor can they ping google, etc...

RIP is still being used and updates are still being processed. I am more confused than ever now.

Can you check if you are able to ping pfsense#2 WAN IP(192.168.1.130).

Regards,

Shahal.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: