[SOLVED] l3 switch dhcp clients can't reach internet

[hushsucks]

hey all!

having an issue with my network lab where clients using dhcp leases from my core switch are unable to reach the internet.

firewall: apu4 with pfsense
switches: pair brocade fcx624s

the core switch is configured to handle routing and dhcp (this makes more sense for my environment as i am trunking across multiple switches and only need dhcp for 2 vlans), and the firewall has a manual nat rule to nat the entire /16 covering my vlans to wan. this works as expected when clients have a statically assigned ip address- they are able to talk to one another across vlans via the switch, and to the internet via the nat. however, when a client is assigned a dhcp lease from the core switch it is only able to talk to other clients on the network- pings to the internet die after the switch, and i suspect they are dying at the nat.

the clients are virtual machines using the respective svi ip on the core switch (.253) as their default gateway. the interface they are on is trunked and each vm has the appropriate vlan tag in proxmox.

the routing table for my core switch:

        Destination        Gateway         Port          Cost          Type Uptime
1       0.0.0.0/0          10.10.254.254   ve 254        1/1           S    33m38s
2       10.10.5.0/24       DIRECT          ve 5          0/0           D    2h33m
3       10.10.10.0/24      DIRECT          ve 10         0/0           D    2h33m
4       10.10.20.0/24      DIRECT          ve 20         0/0           D    2h33m
5       10.10.50.0/24      DIRECT          ve 50         0/0           D    2h33m
6       10.10.100.0/24     DIRECT          ve 100        0/0           D    2h33m
7       10.10.254.0/24     DIRECT          ve 254        0/0           D    2h24m
8       10.10.255.0/24     DIRECT          ve 255        0/0           D    2h33m

dhcp server configuration:

SSH@cs01-lab#sh ip dhcp-s sum

DHCP Server Summary:

                    Total number of active leases:  1
           Total number of deployed address-pools:  2
         Total number of undeployed address-pools:  0
                                    Server uptime:  00d:00h:37m:28s
SSH@cs01-lab#sh ip dhcp-s addr

Showing all address pool(s):


                    Pool Name:  vlan5_lan
Time elapsed since last save:  00d:00h:07m:09s
Total number of active leases:  1
           Address Pool State:  active
        IP Address Exclusions:  10.10.5.1 10.10.5.9
      Pool Configured Options:
          dhcp-default-router:  10.10.5.253
                   dns-server:  10.10.255.53
                  domain-name:  bonequest.com
                        lease:  1 0 0
                      network:  10.10.5.0 255.255.255.0

                    Pool Name:  vlan10_iot
Time elapsed since last save:  00d:00h:07m:09s
Total number of active leases:  0
           Address Pool State:  active
        IP Address Exclusions:  10.10.10.21 10.10.10.251
      Pool Configured Options:
          dhcp-default-router:  10.10.10.253
                   dns-server:  10.10.255.53
                  domain-name:  bonequest.com
                        lease:  1 0 0
                      network:  10.10.10.0 255.255.255.0

happy to provide any additional info necessary, thanks in advance for the assistance!

 

[j_h_o]

Do you have a static route on the pfSense for 10.10.0.0/16 to the L3 switch, and a static route for 0.0.0.0/0 on the L3 switch to the pfSense's internal IP?

 

[Blue)(Fusion]

I'm not sure if the FCX has the same issue as the ICX6xxx series and the 8.0.30 train. In the ICX6xxx series, DHCP information is not presented as authoritative (or whatever the correct term may be). Some devices get IPs while others, such as smart phones, don't.

So with that out of the way, are your DHCP clients actually obtaining the DHCP IP, gateway, and DNS addresses? If not, you ran into the same issue. If they are getting DHCP assignments and they are still unable to access the internet, further information is needed from the devices' IP assignments and routing table.

 

[hushsucks]

@j_h_o: i didn't have my static routes back to the switch set up, and it looks like i'll have to rethink my setup a little thanks to one of my vlans- fun times :>

@Blue)(Fusion: they're getting the correct gateway, dns, routes, and domain name from the dhcp server but i have a bit more work to do on routing first. i'll keep an eye on that though, i'm using these switches to replicate my existing network for a redesign and that runs off a pair of icx6450s, so that's definitely good to know about. thanks both!