[pfSense Support] VLAN Troubles with Cisco 3550
Hello Searched through the list and found many posts on VLAN. To my knowledge I have done what I think is correct but packages wont go through. I can see in the pfSense logs that packages do get in on the right VLAN interface but that's about it. bge0 is WAN bge1 is LAN I have defined two VLANs (201 and 202) and added them as interfaces VLAN201 10.150.1.1 VLAN202 10.150.2.1 ! This is where bge0 is connected interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! ! attached to machine b (10.150.2.10) interface FastEthernet0/17 switchport access vlan 202 no ip address ! ! attached to machine a (10.150.1.10) interface FastEthernet0/31 switchport access vlan 201 no ip address I have added an allow anything anywhere rule on each VLAN interface (and WAN too) When I ping the firewall from machines a or b the log say something on the lines of Oct 14 18:12:42 VLAN202 10.150.2.10 10.150.2.1 ICMP But no replies come back. I cannot ping the machines from pfSense either. So packages gets tagged and understood TO pfSense but something error happens the other way. What I do get on machine A and B is some Cisco packets: Capturing on eth1 0.00 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 1.999793 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 2.791435 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 3.999626 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 5.999456 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 7.999297 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 9.999141 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 11.998963 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 12.790606 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 13.998792 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 15.998627 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 17.166677 Cisco_e1:b1:8d - CDP/VTP/DTP/PAgP/UDLD CDP Device ID: Switch Port ID: FastEthernet0/17 17.998475 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 19.998302 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 14 packets captured Any hints, tips, clues? -- Fredrik Rambris [EMAIL PROTECTED] Advanced Systems Specialist CDON.COM Nelly.com LinusLotta.com Gymgrossisten.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
On Tue, Oct 14, 2008 at 2:46 PM, BSD Wiz [EMAIL PROTECTED] wrote: With 1.2 is it possible to connect to pfsense boxes on the same subnet via an ipsec tunnel? Both boxes wan interfaces are private ip's. No, need different subnets. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. That might work. Give it a shot. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN Troubles with Cisco 3550
What version of pfSense are you running? 1.2-Release? 1.2.1-RC? Fredrik Rambris wrote: Hello Searched through the list and found many posts on VLAN. To my knowledge I have done what I think is correct but packages wont go through. I can see in the pfSense logs that packages do get in on the right VLAN interface but that's about it. bge0 is WAN bge1 is LAN I have defined two VLANs (201 and 202) and added them as interfaces VLAN201 10.150.1.1 VLAN202 10.150.2.1 ! This is where bge0 is connected interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! ! attached to machine b (10.150.2.10) interface FastEthernet0/17 switchport access vlan 202 no ip address ! ! attached to machine a (10.150.1.10) interface FastEthernet0/31 switchport access vlan 201 no ip address I have added an allow anything anywhere rule on each VLAN interface (and WAN too) When I ping the firewall from machines a or b the log say something on the lines of Oct 14 18:12:42 VLAN202 10.150.2.10 10.150.2.1 ICMP But no replies come back. I cannot ping the machines from pfSense either. So packages gets tagged and understood TO pfSense but something error happens the other way. What I do get on machine A and B is some Cisco packets: Capturing on eth1 0.00 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 1.999793 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 2.791435 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 3.999626 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 5.999456 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 7.999297 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 9.999141 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 11.998963 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 12.790606 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 13.998792 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 15.998627 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 17.166677 Cisco_e1:b1:8d - CDP/VTP/DTP/PAgP/UDLD CDP Device ID: Switch Port ID: FastEthernet0/17 17.998475 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 19.998302 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 14 packets captured Any hints, tips, clues? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN Troubles with Cisco 3550
Hello Gary, On C3550 Fa0/1 try switchport trunk allowed vlan 201,202 . Then see the output sh interfaces trunk . You should see if the Fa0/1 is trunking correctly with dot1Q encapsulation. Cheers, - Matej Gary Buckmaster wrote / napísal(a): What version of pfSense are you running? 1.2-Release? 1.2.1-RC? Fredrik Rambris wrote: Hello Searched through the list and found many posts on VLAN. To my knowledge I have done what I think is correct but packages wont go through. I can see in the pfSense logs that packages do get in on the right VLAN interface but that's about it. bge0 is WAN bge1 is LAN I have defined two VLANs (201 and 202) and added them as interfaces VLAN201 10.150.1.1 VLAN202 10.150.2.1 ! This is where bge0 is connected interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! ! attached to machine b (10.150.2.10) interface FastEthernet0/17 switchport access vlan 202 no ip address ! ! attached to machine a (10.150.1.10) interface FastEthernet0/31 switchport access vlan 201 no ip address I have added an allow anything anywhere rule on each VLAN interface (and WAN too) When I ping the firewall from machines a or b the log say something on the lines of Oct 14 18:12:42 VLAN202 10.150.2.10 10.150.2.1 ICMP But no replies come back. I cannot ping the machines from pfSense either. So packages gets tagged and understood TO pfSense but something error happens the other way. What I do get on machine A and B is some Cisco packets: Capturing on eth1 0.00 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 1.999793 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 2.791435 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 3.999626 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 5.999456 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 7.999297 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 9.999141 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 11.998963 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 12.790606 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 13.998792 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 15.998627 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 17.166677 Cisco_e1:b1:8d - CDP/VTP/DTP/PAgP/UDLD CDP Device ID: Switch Port ID: FastEthernet0/17 17.998475 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 19.998302 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 14 packets captured Any hints, tips, clues? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
So your saying that the wan interfaces on the boxes need diff subnets? -Phil G On Oct 14, 2008, at 1:49 PM, Scott Ullrich [EMAIL PROTECTED] wrote: On Tue, Oct 14, 2008 at 2:46 PM, BSD Wiz [EMAIL PROTECTED] wrote: With 1.2 is it possible to connect to pfsense boxes on the same subnet via an ipsec tunnel? Both boxes wan interfaces are private ip's. No, need different subnets. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN Troubles with Cisco 3550
look closely... switchport mode access command is absent I use this way... and works ok. interface fastethernet 0/x switchport mode access switchport access vlan Regards On Tue, Oct 14, 2008 at 4:39 PM, Matej Duracka [EMAIL PROTECTED] wrote: Hello Gary, On C3550 Fa0/1 try switchport trunk allowed vlan 201,202 . Then see the output sh interfaces trunk . You should see if the Fa0/1 is trunking correctly with dot1Q encapsulation. Cheers, - Matej Gary Buckmaster wrote / napísal(a): What version of pfSense are you running? 1.2-Release? 1.2.1-RC? Fredrik Rambris wrote: Hello Searched through the list and found many posts on VLAN. To my knowledge I have done what I think is correct but packages wont go through. I can see in the pfSense logs that packages do get in on the right VLAN interface but that's about it. bge0 is WAN bge1 is LAN I have defined two VLANs (201 and 202) and added them as interfaces VLAN201 10.150.1.1 VLAN202 10.150.2.1 ! This is where bge0 is connected interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! ! attached to machine b (10.150.2.10) interface FastEthernet0/17 switchport access vlan 202 no ip address ! ! attached to machine a (10.150.1.10) interface FastEthernet0/31 switchport access vlan 201 no ip address I have added an allow anything anywhere rule on each VLAN interface (and WAN too) When I ping the firewall from machines a or b the log say something on the lines of Oct 14 18:12:42 VLAN202 10.150.2.10 10.150.2.1 ICMP But no replies come back. I cannot ping the machines from pfSense either. So packages gets tagged and understood TO pfSense but something error happens the other way. What I do get on machine A and B is some Cisco packets: Capturing on eth1 0.00 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 1.999793 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 2.791435 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 3.999626 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 5.999456 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 7.999297 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 9.999141 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 11.998963 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 12.790606 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 13.998792 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 15.998627 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 17.166677 Cisco_e1:b1:8d - CDP/VTP/DTP/PAgP/UDLD CDP Device ID: Switch Port ID: FastEthernet0/17 17.998475 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 19.998302 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 14 packets captured Any hints, tips, clues? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
Is there a particular reason you need this traffic to be encapsulated? At first blush, this would seem to be a pretty standard routing problem, easily solvable with static routes. Unless there's some very specific reason for needing the encryption. -Gary BSD Wiz wrote: it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
yes, there are reasons and it must be encrypted. thanks, -phil On Oct 14, 2008, at 5:11 PM, Gary Buckmaster wrote: Is there a particular reason you need this traffic to be encapsulated? At first blush, this would seem to be a pretty standard routing problem, easily solvable with static routes. Unless there's some very specific reason for needing the encryption. -Gary BSD Wiz wrote: it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]