2

I have the following devices on vlan93 on my network:

pfsense   (192.168.93.1)
core-sw1  (192.168.93.2)
edge-sw1  (192.168.93.3)
pf-switch (192.168.93.100)
devices   (192.168.93.120)

Physical connections below (all connections are tagged except for pf-switch → devices):

 +----------+   +------------+   +------------+   +-------------+   +----------+
 |          |   |            |   |            |   |             |   |          |
 | pfsense <--+--> core-sw1 <--+--> edge-sw1 <--+--> pf-switch <--+--> devices |
 |          |   |   Cisco    |   |   Cisco    |   |     BNT     |   |          |
 +----------+   +------------+   +------------+   +-------------+   +----------+

The following devices can talk to each other:

                        p
                    c e f
                  p o d - d
                  f r g s e
                  s e e w v
   +->can talk+-->e - - i i
   |    to        n s s t c
   |              s w w c e
   |              e 1 1 h s
   |
   |     pfsense  - ✓ ✕ ✕ ✕
   |
   +-+  core-sw1  ✓ - ✓ ✓ ✓

        edge-sw1  ✕ ✓ - ✓ ✓

       pf-switch  ✕ ✓ ✓ - ✓

         devices  ✕ ✓ ✓ ✓ -

I've checked on pfSense and it's not sending any ARP responses to or past edge-sw1, nor does it have ARP entries for those devices.

Any idea what to look at? I'm suspecting pfSense, but have no idea where to go from here.

Versions: pfsense: 1.2.3-RC1-pfSense core-sw1: 12.2(44)SE5 edge-sw1: 12.2(53r)SE

Edit: When I use a Cisco 2600 router instead of pfSense with the exact same setup, everything works fine.

MikeyB
  • 39,291
  • 10
  • 105
  • 189

2 Answers2

0

It may be possible that edge-sw1 is filtering it. How did you discover it wasn't sending them at all?

A host will normally send an ARP packet whenever it needs to pass a packet to a local host but lacks its MAC address (in the ARP table). Therefore, assuming those devices (or their management interfaces, as applicable) are all on the same subnet, pfsense will send an ARP request anytime it tries to communicate with a new one.

I would check the subnetting. If this is OK, I would mirror the port on the first switch pfsense is connected to, and monitor for ARP.

ARP shouldn't be sensitive to the number of switches it passes through.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • The subnet masks are all correct. No ACLs are filtering traffic on any of the switches. When I get time to do so, I'll definitely mirror the port to look at the traffic directly. I had discovered pfsense wasn't sending them by actually running tcpdump on the pfsense interface. – MikeyB Aug 21 '12 at 13:13
  • Also, it works fine by switching pfSense out for a Cisco router. – MikeyB Aug 21 '12 at 13:22
  • If pfsense isn't sending ARP, and it doesn't have the IP in its ARP table, and the IP is on its local subnet, that is a serious bug. However, check the subnet thing. Make sure there isn't a gateway route messing things up. – Falcon Momot Aug 21 '12 at 18:22
0

This ended up being some sort of weird bug with pfSense 1.2.3 - it's fixed in later releases.

MikeyB
  • 39,291
  • 10
  • 105
  • 189