网络工程 - 连接问题/L3 交换机 - 吾爱随笔录

连接问题/L3 交换机

网络工程思科路由感知

2022-02-11 13:41:57

在尝试不同的设置后，我的家庭实验室网络出现连接问题。无法从 LAN 连接到 pfsense 盒子，尽管 pfsense 可以一直到达 LAN 网络。

从我的笔记本电脑的角度来看：

ping 192.168.1.1 From laptop to fa 1/0/1 interface
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.290 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1.281 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=1.865 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=3.229 ms

ping 192.168.1.43 From laptop to fa 1/0/2 interface
PING 192.168.1.43 (192.168.1.43): 56 data bytes
64 bytes from 192.168.1.43: icmp_seq=0 ttl=255 time=1.256 ms
64 bytes from 192.168.1.43: icmp_seq=1 ttl=255 time=1.606 ms
64 bytes from 192.168.1.43: icmp_seq=2 ttl=255 time=1.299 ms
64 bytes from 192.168.1.43: icmp_seq=3 ttl=255 time=1.877 ms

ping 192.168.1.41 From laptop to Pfsense
PING 192.168.1.41 (192.168.1.41): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4

笔记本电脑可以连接到 L3 交换机，但不能连接到 pfsense 盒

从 L3 交换机的角度来看：

ping 192.168.1.1 - From SW to host in LAN

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/17 ms

 ping 192.168.1.41 - From SW to Pfsense em1 interface

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.41, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

 ping 8.8.8.8 - L3 SW to internet

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
 .....
 Success rate is 0 percent (0/5)

路由表

show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C       192.168.1.40/29 is directly connected, FastEthernet1/0/2
C       192.168.1.0/28 is directly connected, FastEthernet1/0/1
S*   0.0.0.0/0 is directly connected, FastEthernet1/0/2

运行配置

Router-L3(config)#do show run
Building configuration...

Current configuration : 3239 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router-L3
!
boot-start-marker
boot-end-marker
!
enable secret 
!
!
!
no aaa new-model
switch 1 provision ws-c3750-48ts
system mtu routing 1500
ip routing
ip name-server 50.116.40.226
ip name-server 104.245.39.112
ip name-server 74.207.232.103
ip name-server 107.170.95.180
ip name-server 8.8.8.8
ip dhcp excluded-address 192.168.1.1 192.168.1.2
!
ip dhcp pool LAN
   network 192.168.1.0 255.255.255.240
   dns-server 50.116.40.226 104.245.39.112
   default-router 192.168.1.1
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet1/0/1
 description LAN
 no switchport
 ip address 192.168.1.1 255.255.255.240
!
interface FastEthernet1/0/2
 description TO FW
 no switchport
 ip address 192.168.1.43 255.255.255.248
!
interface FastEthernet1/0/3
!
[...]
interface FastEthernet1/0/48
 shutdown
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 no ip address
 shutdown
!
ip default-gateway 192.168.1.41
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0/2
!
!
line con 0
line vty 5 15
!
end

L3 SW 可以连接到 LAN 和 pfsense 盒，但不能连接到互联网

PFsense 的观点

PING 192.168.1.43 (192.168.1.43): 56 data bytes  - PFsense to L3 fa 1/0/2
64 bytes from 192.168.1.43: icmp_seq=0 ttl=255 time=2.502 ms
64 bytes from 192.168.1.43: icmp_seq=1 ttl=255 time=2.281 ms
64 bytes from 192.168.1.43: icmp_seq=2 ttl=255 time=2.405 ms
64 bytes from 192.168.1.43: icmp_seq=3 ttl=255 time=1.730 ms

--- 192.168.1.43 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.730/2.229/2.502/0.299 ms

PING 192.168.1.1 (192.168.1.1): 56 data bytes - PFsense to L3 fa 1/0/1
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=0.571 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.537 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.548 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.519 ms

--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.519/0.544/0.571/0.019 ms

PING 192.168.1.13 (192.168.1.13): 56 data bytes - From PFSense to a host in Lan
64 bytes from 192.168.1.13: icmp_seq=0 ttl=63 time=53.374 ms
64 bytes from 192.168.1.13: icmp_seq=1 ttl=63 time=69.013 ms
64 bytes from 192.168.1.13: icmp_seq=2 ttl=63 time=79.912 ms
64 bytes from 192.168.1.13: icmp_seq=3 ttl=63 time=114.207 ms

--- 192.168.1.13 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 53.374/79.126/114.207/22.342 ms

防火墙配置

路由表

Pf sense 连接到互联网，并一直连接到 LAN

我相信这是 L3 开关的问题，但我显然遗漏了一些东西，但我目前看不到它。任何帮助，将不胜感激。

3个回答

除了问题之外，您的默认路由设置错误：

...
ip routing
ip classless
...

在你的开关上打开，好的。

所以

ip default-gateway 192.168.1.41

没有任何意义。

但

ip route 0.0.0.0 0.0.0.0 FastEthernet1/0/2

不好，应该读

ip route 0.0.0.0 0.0.0.0 192.168.1.41

而且（我的观点）交换机不应该等待 DNS 解析，所以我几乎总是配置“ no ip domain-lookup”（某些 IOS 版本不喜欢“-”）好的，所以你必须知道 IP 地址，但记录等事件该设备不依赖于外部服务“DNS”。

顺便说一句，你的 PFSense 盒子上启用了 NAT 吗？

我没有得到你笔记本电脑的 IP，但我猜你的 pfsense 盒子缺少通往它的路由。

来自 pfsense 的 traceroute 应该可以帮助您。

否则，听起来 pfsense 正在丢弃 icmp echo 请求（这使网络调试更加困难）。

看起来你错误地配置了防火墙。

问题很可能出在 pfsense 盒子上，因为笔记本电脑可以通过第 3 层交换机 ping 另一个网络。您是否允许 pfsense 框从该接口上的不同网络接收 ICMP？

三层交换机能ping通pfsense盒子上的本地公网地址吗？它无法ping通谷歌。pfsense 框中的某些东西正在阻止您。

事实上，查看您的防火墙规则，您似乎只允许来自连接网络以外的任何其他地方的 HTTP 和 HTTPS。pfsense 框拒绝来自笔记本电脑所在网络的任何其他流量。尝试添加一条规则，就像第二条一样，但192.168.1.0/28用作源。

其它你可能感兴趣的问题

上一篇如何在地理上分开的 AS 物理连接？下一篇是否有双故障转移路由器之类的东西？