routing problem with vlans?

phil524 · November 4, 2022, 12:30pm

Hello,

I needed to reinstall my system and now I cannot ping from a pi400 to a window system on my network.
I can ping from the windows system to the pi400.
Here my network topology


 ┌────────────────────────┐                      ┌───────┐
 │ Tumbleweed Server with │ eno3 (no IP)         │ CABLE │
 │ DHCP + DNS + firewalld ├───────────ppp0───────│ Modem ├─── Internet
 │                        │                      │       │
 │ do intervlan routing   │                      └───────┘
 └───┬────────────────┬───┘                   
 eno2 (No IP)     eno1 (192.168.1.120)                
     │                │enslaved in br0 (for VM)       
     │                │                                    
trunk│ port          VLAN 1                           
 ┌───┴────────────────┴──────────────────────────────────┐
 │         TL─SG3216          Swithch Level 2            │
 │                                                       │
 │                             VLAN  ID                  │
 │   4                   2                  3            │
 │(192.168.4.0/24)     (192.168.2.0/24) (192.168.3.0/24) │
 └───┬──────────────────┬──────────────────┬─────────────┘
     │                  │                  │         
     │                  │                  │         
   Samba               PCs                 PCs                  
192.168.4.91      192.168.2.100─     192.168.3.100─        
 ** pi 400 **          192.168.2.199      192.168.3.199
Printer 192.168.4.50

pi400 setting

rasp:~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether e4:5f:01:96:eb:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.91/24 brd 192.168.4.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::58c5:6428:a89e:570d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether da:52:c3:4f:df:fa brd ff:ff:ff:ff:ff:ff permaddr e4:5f:01:96:eb:3c
rasp:~ # ip r s
default via 192.168.4.1 dev eth0 proto static metric 100 
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.91 metric 100

I can ping the different gateways on the server or an external address but not the windows PC at 192.168.3.100

rasp:~ # ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=0.280 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=0.254 ms
...
rasp:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=14.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=14.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=18.1 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 14.247/15.685/18.122/1.732 ms

rasp:~ # ping 192.168.3.100
PING 192.168.3.100 (192.168.3.100) 56(84) bytes of data.
^C
--- 192.168.3.100 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5172ms

rasp:~ # traceroute 192.168.3.100
traceroute to 192.168.3.100 (192.168.3.100), 30 hops max, 60 byte packets
 1  192.168.4.1 (192.168.4.1)  0.297 ms  0.203 ms  0.152 ms
2 * * *
...
30 * * *

On the tumbleweed server I have these routings

hpprol2:~ # ip r s
default dev ppp0 scope link 
default via 192.168.2.1 dev vlan2 proto static 
default via 192.168.3.1 dev vlan3 proto static 
default via 192.168.4.1 dev vlan4 proto static 
xx.nn.97.36 dev ppp0 proto kernel scope link src yy.zz.133.182 
192.168.1.0/24 dev vlan1 proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev vlan2 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev vlan3 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev vlan4 proto kernel scope link src 192.168.4.1 
hpprol2:~ #

On the windows pc I can ping and trace route to the pi400

Tracing route to 192.168.4.91 over a maximum of 30 hops:
  1     1 ms     1 ms    <1 ms  192.168.3.1 
  2    <1 ms    <1 ms    <1 ms  192.168.4.91 
Trace complete.

I think that I forgot something during reinstall but cannot find what.

Any hints?

arvidjaar · November 4, 2022, 2:04pm

Check your Windows firewall.

phil524 · November 4, 2022, 2:13pm

I can ping from my server to the Windows PC

hpprol2:~ # ping 192.168.3.100
PING 192.168.3.100 (192.168.3.100) 56(84) bytes of data.
64 bytes from 192.168.3.100: icmp_seq=1 ttl=128 time=0.436 ms
64 bytes from 192.168.3.100: icmp_seq=2 ttl=128 time=0.477 ms
64 bytes from 192.168.3.100: icmp_seq=3 ttl=128 time=0.397 ms
64 bytes from 192.168.3.100: icmp_seq=4 ttl=128 time=0.431 ms
64 bytes from 192.168.3.100: icmp_seq=5 ttl=128 time=0.373 ms
^C
--- 192.168.3.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4094ms
rtt min/avg/max/mdev = 0.373/0.422/0.477/0.035 ms
hpprol2:~ #

I have also a NFS share on the server and I can read/write from the Windows PC. So the Windows firewall seems not involved.

Here the firewalld setting on the tumbleweed server

hpprol2:~ # firewall-cmd --list-all
home (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0 eno1 eno2 vlan1 vlan2 vlan3 vlan4
  sources: 
  services: apache2 apache2-ssl dhcp dhcpv6 dhcpv6-client dns dns-over-tls finger ftp http https imap imaps ipp ipp-client irc kdeconnect kerberos kpasswd ldap ldaps libvirt libvirt-tls libvirtd-relocation-server mdns minidlna mountd mysql nfs nfs3 ntp openvpn rpc-bind rsyncd samba samba-client samba-dc sane slp smtp smtps snmp ssh tftp tigervnc tigervnc-https transmission-client vnc-server
  ports: 67/udp 68/udp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.3.0/24" destination address="192.168.2.0/24" protocol value="tcp" drop
        rule family="ipv4" source address="192.168.3.0/24" destination address="192.168.2.0/24" protocol value="icmp" drop
        rule family="ipv4" source address="192.168.2.0/24" destination address="192.168.3.0/24" protocol value="tcp" drop
        rule family="ipv4" source address="192.168.2.0/24" destination address="192.168.3.0/24" protocol value="icmp" drop
hpprol2:~ #

On the pi400 the firewalld is inactive

rasp:~ # systemctl status firewalld
○ firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:firewalld(1)
rasp:~ #

Many thanks
Philippe

arvidjaar · November 5, 2022, 4:15pm

So what? Your server is in different network and different firewall rules may apply.

So the Windows firewall seems not involved.

May be. The ultimate way to check it is to stop Windows firewall and see whether the problem can be reproduced. Until you checked the most obvious solution there is no reason for anyone to dive deeper.

phil524 · November 5, 2022, 9:34pm

Hello,

You are right the problem was with the Windows firewall. I had activated the rules for “Files and printer sharing (Echo request - ICMPv4-in)” but missed that there was also a setting “Local subnet” changing it “Any IP address” solved the problem.

Thank you so much for putting me on the right path.
Philippe