04-15-2010 12:32 PM - edited 03-06-2019 10:38 AM
Greetings here is my test setup:
INTERNET (public IP)
|
Pfsense firewall (192.168.1.1)
|
Pfsense firewall #2 (10.1.1.254)
|
Cisco 871
fa4.100 (10.1.1.1)
fa4.110 (10.1.10.1)
fa4.120 (10.1.20.1)
fa4.130 (10.1.30.1)
fa4.140 (10.1.40.1)
|
Cisco 2950
fa0/1 (vlan 100) - to pfsense fw#2
fa0/2 (vlan 100) - test pc
fa0/7 (vlan 110) - test pc
fa0/24 - TRUNK to Cisco 871
| |
Test PC1 TestPC2
10.1.1.100 10.1.10.100
255.255.255.0 255.255.255.0
10.1.1.1 (gw) 10.1.10.1 (gw)
10.1.1.254 (dns) 10.1.1.254 (dns)
The issue is Test PC1 can connect to the Internet, however Test PC2 cannot. I would like all pc's to access Internet then start to control resources through the use of ACL's. Below is the config's of the router, switch and both Pfsense boxes are running rip along with the 871. Please advise and thanks ahead of time for your help. Yes I know this is a vanilla config and there isn't much I have done in the way of security. Gotta make it work first.
Router#sh run
Building configuration...
Current configuration : 1481 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 HIDDEN
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
username admin password 0 HIDDEN
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface FastEthernet4.100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet4.110
encapsulation dot1Q 110
ip address 10.1.10.1 255.255.255.0
!
interface FastEthernet4.120
encapsulation dot1Q 120
ip address 10.1.20.1 255.255.255.0
!
interface FastEthernet4.130
encapsulation dot1Q 130
ip address 10.1.30.1 255.255.255.0
!
interface FastEthernet4.140
encapsulation dot1Q 140
ip address 10.1.40.1 255.255.255.0
!
interface Vlan1
no ip address
!
router rip
network 10.0.0.0
network 192.168.1.0
!
ip default-gateway 10.1.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.0.0.0 255.0.0.0 10.1.1.0
ip route 192.168.1.0 255.255.255.0 10.1.1.254
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password HIDDEN
login
!
scheduler max-task-time 5000
end
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES manual up up
FastEthernet4.100 10.1.1.1 YES manual up up
FastEthernet4.110 10.1.10.1 YES manual up up
FastEthernet4.120 10.1.20.1 YES manual up up
FastEthernet4.130 10.1.30.1 YES manual up up
FastEthernet4.140 10.1.40.1 YES manual up up
Vlan1 unassigned YES unset up up
Router#sh vlans
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4
This is configured as native Vlan for the following interface(s) :
FastEthernet4
Protocols Configured: Address: Received: Transmitted:
Other 0 1466
4401 packets, 847838 bytes input
1466 packets, 549268 bytes output
Virtual LAN ID: 100 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.100
Protocols Configured: Address: Received: Transmitted:
IP 10.1.1.1 21652 22423
Other 0 67
21652 packets, 2239446 bytes input
22490 packets, 1551269 bytes output
Virtual LAN ID: 110 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.110
Protocols Configured: Address: Received: Transmitted:
IP 10.1.10.1 2498 1461
Other 0 151
2498 packets, 253466 bytes input
1612 packets, 829266 bytes output
Virtual LAN ID: 120 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.120
Protocols Configured: Address: Received: Transmitted:
IP 10.1.20.1 0 673
Other 0 5
0 packets, 0 bytes input
678 packets, 92340 bytes output
Virtual LAN ID: 130 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.130
Protocols Configured: Address: Received: Transmitted:
IP 10.1.30.1 0 675
Other 0 5
0 packets, 0 bytes input
680 packets, 92640 bytes output
Virtual LAN ID: 140 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interface: FastEthernet4.140
Protocols Configured: Address: Received: Transmitted:
IP 10.1.40.1 0 673
Other 0 5
0 packets, 0 bytes input
678 packets, 92320 bytes output
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.1.10.0/24 is directly connected, FastEthernet4.110
C 10.1.1.0/24 is directly connected, FastEthernet4.100
S 10.0.0.0/8 [1/0] via 10.1.1.0
C 10.1.30.0/24 is directly connected, FastEthernet4.130
C 10.1.20.0/24 is directly connected, FastEthernet4.120
C 10.1.40.0/24 is directly connected, FastEthernet4.140
S 192.168.1.0/24 [1/0] via 10.1.1.254
S* 0.0.0.0/0 [1/0] via 192.168.1.1
Router#debug ip rip
RIP protocol debugging is on
Router#
*Mar 4 00:15:43.871: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar 4 00:15:43.871: 10.1.1.0 in 1 hops
*Mar 4 00:15:43.871: 192.168.1.0 in 1 hops
*Mar 4 00:15:47.271: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar 4 00:15:47.271: RIP: build update entries
*Mar 4 00:15:47.271: subnet 10.1.1.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.10.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.20.0 metric 1
*Mar 4 00:15:47.271: subnet 10.1.30.0 metric 1
*Mar 4 00:15:52.056: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.120 (10.1.20.1)
*Mar 4 00:15:52.056: RIP: build update entries
*Mar 4 00:15:52.056: subnet 10.1.1.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.10.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.30.0 metric 1
*Mar 4 00:15:52.056: subnet 10.1.40.0 metric 1
*Mar 4 00:15:58.728: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.110 (10.1.10.1)
*Mar 4 00:15:58.728: RIP: build update entries
*Mar 4 00:15:58.728: subnet 10.1.1.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.20.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.30.0 metric 1
*Mar 4 00:15:58.728: subnet 10.1.40.0 metric 1
*Mar 4 00:15:59.417: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.100 (10.1.1.1)
*Mar 4 00:15:59.417: RIP: build update entries
*Mar 4 00:15:59.417: subnet 10.1.10.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.20.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.30.0 metric 1
*Mar 4 00:15:59.417: subnet 10.1.40.0 metric 1
*Mar 4 00:16:00.681: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.130 (10.1.30.1)
*Mar 4 00:16:00.681: RIP: build update entries
*Mar 4 00:16:00.681: subnet 10.1.1.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.10.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.20.0 metric 1
*Mar 4 00:16:00.681: subnet 10.1.40.0 metric 1
*Mar 4 00:16:13.478: RIP: sending v1 update to 255.255.255.255 via FastEthernet4.140 (10.1.40.1)
*Mar 4 00:16:13.478: RIP: build update entries
*Mar 4 00:16:13.478: subnet 10.1.1.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.10.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.20.0 metric 1
*Mar 4 00:16:13.478: subnet 10.1.30.0 metric 1
*Mar 4 00:16:13.870: RIP: received v1 update from 10.1.1.254 on FastEthernet4.100
*Mar 4 00:16:13.870: 10.1.1.0 in 1 hops
*Mar 4 00:16:13.870: 192.168.1.0 in 1 hops
Router#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 74.125.67.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.67.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
Switch#sh run
Building configuration...
Current configuration : 1376 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
...
!
interface FastEthernet0/7
switchport access vlan 110
switchport mode access
!
...
!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
line vty 5 15
!
!
end
Switch#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
Vlan100 10.1.1.2 YES manual up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset up up
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset up up
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset down down
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset up up
Switch#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1,100,110
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1,100,110
Switch#ping 10.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Switch#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 * * *
2 * * *
....
Test PC 1 can ping anything & access the Internet (currently on this pc now)
Test PC 2 can ping 10.1.10.1 and can ping 10.1.1.1 & 10.1.1.254, however it cannot ping 192.168.1.1, nor anything on the Internet.
Again pfsense routers are Running RIPv1 (pfsense#2 on both lan&wan, pfsense#1 on lan only). Updates are being recieved as shown above.
Any further information please let me know. Thanks again.
04-19-2010 02:21 PM
I finally got back to working with this today. My apologies about being so aloof.
I was able to verify it is a routing problem. Here is how:
DSL(public IP)
|
Pfsense #2 (WAN - PPPoE / LAN - 10.1.1.254)
|
Cisco 871 (same as before)
fa4.100 (10.1.1.1)
fa4.110 (10.1.10.1)
...
|
Cisco 2950
vlan 100 (10.1.1.2)
vlan 110
Hosts from vlan 100 can ping anything (even google)
Hosts from vlan 110 can ping 10.1.1.1 & 10.1.1.254, however they cannot ping the public IP, nor can they ping google, etc...
RIP is still being used and updates are still being processed. I am more confused than ever now.
04-20-2010 07:33 PM
Can you check if you are able to ping pfsense#2 WAN IP(192.168.1.130).
Regards,
Shahal.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: