Apologies if I am hijacking the thread but in trying to set this machinery up on my LAN and after going through this thread (any many others elsewhere) and having tried everything I could think of but am still partially successful at best. I suspect I am either misconfiguring the default route or have some fundamental misunderstanding about transit network and/or VLANs but after trying most things I'd regard sensible, I am still unable to ping the firewall from a machine in a VLAN outside of transit network.
I would really appreciate some insights here as I am thoroughly confused and I can't understand what part of setup/assumption is wrong.
Whatever additional info is needed I am more than happy to add.
Note that the Workstation B has a static IP whereas the rest is DHCP - this is temporary but intentional: in fullness, I intend to fully leverage the Dell 8024F on-switch DHCP server but wanted to keep the test scenarios tight and not introduce complexity unless this setup works (which is invariant from DHCP, as it is).
The firewall is a virtualised instance running in Proxmox VE 6.3.1 (full disclosure: no network bridge is made VLAN aware, but based on my understanding, it should not be anyway). If need be, I can spin up a bare metal firewall instance and retry (but I'd rather not go through the hassle, unless really needed).
Here are my test scenarios and results:
Action | Expected Result | Observed Result |
---|
telnet to switch via OOB and ping 172.16.0.1 | OK (no loss) | OK (no loss) |
ping from firewall to 172.16.0.2 | OK (no loss) | OK (no loss) |
8024F pfSense gateway status | Online | Online (loss -> 0.0%) |
ping from Workstation A to FIBRE0 | OK (no loss) | OK (no loss) |
ping from Workstation A to VLAN 15 SVI | OK (no loss) | OK (no loss) |
ping from Workstation A to VLAN 300 SVI | OK (no loss) | OK (no loss) |
ping from Workstation A to Workstation B | OK (no loss) | TIMEOUT |
ping from Workstation B to FIBRE1 (transit net other end) | OK (no loss) | TIMEOUT |
ping from Workstation B to VLAN 15 SVI | OK (no loss) | OK (no loss) |
ping from Workstation B to VLAN 300 SVI | OK (no loss) | OK (no loss) |
ping from Workstation B to Workstation A | OK (no loss) | TIMEOUT |
Note - test results above are the same for Port 4 configuration in ACCESS or TRUNK mode. Port 2 is always ACCESS mode.
Here is a picture of my setup:
Here is the switch routing table output :
My current understanding is:
- inter-VLAN routing works OK
- pfSense gateway + static routing works OK
The most suspect configuration here is the default route - but I have followed the switch docs and this seems the correct way to configure this.
Questions:
- why can't I ping pfSense end of transit network from Workstation B despite it being ping-able from the switch?
- why can't I ping Workstation B from Workstation A (and vice-versa)?