The vlan 1000 is just for traffic between the two ETX routers and won’t be going to the pfsense box.
Vlan 100 is the inband management vlan that will allow me to log into each of the ETX boxes in return and edit the config files. Ultimately, the goal is for my team members to access the ETX boxes over OPENvpn.
Each of the ETX boxes have trunk ports that carry both VLANs to the netgear box on ports 1 and 2.
Port 3 should only carry VLAN 100 traffic to the ETX port on the pfsense box. This port is configured with VLAN 100, and the interface is enabled. I have setup a single firewall rule to all any any on the port.
If I attach my pc to the lan port and try to ping either 172.16.95.120 or 121 I get 100% packet loss.
If I use the diagnosis ping using source LAN to either 172.16.95.120 or 121 I get 100% packet loss.
I’m really puzzled why I can’t ping my ETX boxes from my pc on the lan port.
Can the ETX routers talk to each other on vlan 100?
If you put your pc on vlan 100 connected to the netgear switch, can you talk to both routers? I would use port 3 for this.
Is Opt2 configured to be on the same network in vlan 100?
Is there a rule to let LAN talk any-any? I don’t see one in the screenshots. Can the LAN network get out to the internet and talk to the firewall?
Is the VPN exit on it’s own lan and does that lan have a rule to allow it any-any access? Or does it exit into vlan 100? Can you see the firewall from the VPN?
Yes all very basic questions, but start from where it works and go from there. You may have already done all this, but I don’t see that information in your post.
Can the ETX routers talk to each other on vlan 100?
ans: yes.
If you put your pc on vlan 100 connected to the netgear switch, can you talk to both routers? I would use port 3 for this.
ans: yes.
Is Opt2 configured to be on the same network in vlan 100?
ans: yes (ip 172.16.95.1/24)
Is there a rule to let LAN talk any-any? I don’t see one in the screenshots. Can the LAN network get out to the internet and talk to the firewall?
ans: Not right now. I have the WAN turned off for local testing purposes.
Is the VPN exit on it’s own lan and does that lan have a rule to allow it any-any access? Or does it exit into vlan 100? Can you see the firewall from the VPN?
ans: I have OPENvpn turned off right now so as not to interfere until I get the lan to lan2 communications working.
Yes all very basic questions, but start from where it works and go from there. You may have already done all this, but I don’t see that information in your post.
ans: Totally understand and agree. I have been working on this issue for some time. I switched to Netgear from a Cisco NX3048 to try and simplify the issue with the smart switch. I’m going to attach the rules edit screens for both lan and lan2 in the next posts.
Thanks for you help.
I think the firewall is the problem. Toss a few any-any rules on your lans, specify each, not with an alias to make sure there isn’t a problem with an alias.
lan → vlan100 and vlan100 → lan type rules with any ports
lan → vlan1000 etc.
Yes it’s not clean, but that might help get things working, and you can clean it up later. This is my basic strategy when I start having problems moving data from one network to another. You just about bypass the firewall doing this, but once you get connections you can go back and start locking things down one change at a time.
Thanks Greg. Narrowing it down has been the big issue. I like your idea and I’m going to give it a try. I’ll let you know how I make out. Once I can get it working then I can start working on OPENvpn access.
Glenn…
I’m making some progress, I think.
I connected a second pc to port 4. I configured port 4 with PVID 100 (the same a port 3). It is also assigned to vlan 100. Port 4 has a dhcp range of 172.16.95.200 to 250. When I connect the pc to port 4 it gets an ip of 172.16.95.201.
So my primary PC is connected to the lan port (opt1) on the pfsense box and my second pc is connected to port 4 of the Netgear switch.
If I go into Diagnostics Ping in pfsense and try to ping 172.16.95.201 (the second pc) from Source address LAN, the ping works.
If however, I try to ping one of my ETX boxes from LAN, it does not work.
I was reading somewhere that this issue my be related to Gateways?
Thoughts?
I dont know what those ETX routers are but maybe they do not respond to ping so here’s an idea … replace ETX1 with your pc and try to ping it from pfsense. We know your pc responds to ping.
Thanks for the suggestion. Actually, I have added a second pc on port 4 of the Netgear managed switch with the switch set for untagged port on vlan 100 and with port 4 given a PVID of 100. So basically I am going what you suggest.
Unfortunately, the damn pc responds to my ping…
Sorry, but I have been at this a couple of weeks and it is driving me crazy.
Someone said it might be a gateway issue. But since the second pc works I’m not so sure about that…
Cheers.
They are devices that we use to terminate an EPL service at the customer prems. One at each end of the service.
Looks like it is time to roll out wireshark…
Thanks.
This is the first time I have worked with these ETX devices.
It has been a journey to say the least.
I contacted a fellow who is extremely knowledgeable in them and he told me that the configuration needs a static route added into them. He just happens to be the guy that sent me the configuration for them in the first place.
Well, wouldn’t you know it, when I put the static routing in them pointing to the pfsense default gateway the whole thing worked like a charm.
I really hate it when the simple things trips one up…
Thanks a lot for all you fabulous help with this.
Best regards.
Glenn…