Solved: Re: Router can ping 8.8.8.8 but vlan clients can't

Tyrasiv · ‎06-18-2019

Hi

We have got a setup with a Pfsense box as the firewall between LAN and WAN.

Quick example overview:

Firewall

^

l

fa1----R1---fa0

l l

l fa0/21 l fa0/21

S1 S2

Our problem is that our VLAN clients on the L2 switches (5, 10, 20, 30 and 99) aren't able to ping the firewall (192.168.2.2)

Router: Cisco 1811

Switches: 2960

All clients can ping the router and the router can ping 8.8.8.8.

R1#show running-config
Building configuration...

Current configuration : 2208 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name cybercenter.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username cisco password 0 cisco
!
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet0.5
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet0.99
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet1.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet1.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip ospf 1 area 0
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip ospf 1 area 0
!
interface Async1
no ip address
encapsulation slip
!
router ospf 1
log-adjacency-changes
network 192.168.0.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.2
ip route 0.0.0.0 0.0.0.0 FastEthernet2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login local
transport input ssh
!
end

And we have set the the interface which goes to the router as "switchport mode trunk"

Jon Marshall · ‎06-18-2019

If you are not allowed to use any routing (dynamic or static routes) then what you need to do is setup NAT on your router so all the LAN subnet IPs are translated to the 192.168.2.1 IP address which the pfSense does not need a route for as it is directly connected.

Jon

View solution in original post

Jon Marshall · ‎06-18-2019

Does the pfSense have routes to the LAN subnets ?

Jon

Tyrasiv · ‎06-18-2019

I can also add static routes to the LAN through Pfsense but I think it's supposed to be like this

Jon Marshall · ‎06-18-2019

I don't think those routes are right.

Firstly they have a /32 subnet mask which is incorrect and secondly if I understand your topology correctly the routes should use the LAN interface on the pfSense.

Jon

Tyrasiv · ‎06-18-2019

Ah! You are right. Testing it out now

Also setting them to LAN now

Tyrasiv · ‎06-18-2019

You are a life saviour but I just found out that we aren't allowed to use routing on the Pfsense by our teacher...

Guess I will try some workarounds on the router

Jon Marshall · ‎06-18-2019

If you are not allowed to use any routing (dynamic or static routes) then what you need to do is setup NAT on your router so all the LAN subnet IPs are translated to the 192.168.2.1 IP address which the pfSense does not need a route for as it is directly connected.

Jon

Tyrasiv · ‎06-18-2019

Thank you!

Now we have access to the firewall from the clients and we can also ping 8.8.8.8. We just can't get proper internet access yet

Perhaps we need to fiddle with the firewall settings on Pfsense.

Tyrasiv · ‎06-18-2019

We have found out it's a DNS problem from our server.

My group and I will find out the issue. Thanks for you help again

Seb Rupik · ‎06-18-2019

Hi there,

Since you are not NATing the traffic sources from your local subnets which are routed by the 1811, you will need to configure the pfsense box with the correct static routes (or configure OSPF and establish an adjacency), something like:

!
ip route 192.168.5.0 255.255.255.0 192.168.2.1
ip route 192.168.10.0 255.255.255.0 192.168.2.1
ip route 192.168.20.0 255.255.255.0 192.168.2.1
ip route 192.168.30.0 255.255.255.0 192.168.2.1
ip route 192.168.99.0 255.255.255.0 192.168.2.1
!

cheers,

Seb.

Tyrasiv · ‎06-18-2019

Hi! I'm getting this error

%Invalid next hop address (it's this router)