Inter-vlan routing problem

Hi, Peplink guys,

We found problem for the inter-vlan routing configuration, please help.

We are using build up an Peplink HA infrastructure, as the attached captured.

Our Peplink hardware :

Peplink model = Peplink 1350
Firmware = 8.0.2 ( we also tried version 8.0.1 )

LAN configuations in Peplink :

1. LAN interface configuration is attached
2. All VLAN configurations in Peplink…… are configured inter-vlan routing
3. Firewall configuration in Peplink : all are defaullt setting

We found the inter-vlan routing failed as the attached ping test ( but ping test are successful for individual vlan ).

Ping test:

1. From LAN (untagged VLan 888: 10.10.23.242 ) → 10.10.23.245 (router interface) OK

2. From LAN (tagged VLan 200 : 10.61.200.253 ) → 10.61.200.254 (router interface) OK

3. From LAN (untagged Vlan888: 10.10.23.242) —> 10.61.200.254 ( router interface ) failure

Any suggestion, thx.

With regards
Benson LE!

Peplink infrastructure883×778 35.4 KB

Pep LAN configuration847×452 14 KB

Ping test 02741×573 26.2 KB

Ping test 03594×540 15.6 KB

When pinging from the router you specify which LAN network to send the ping request. In this scenario 10.61.200.254 is not in Vlan888 (the untagged LAN) so valid test would be to ping from a device on each network.

Additionally, the diagram seems to indicate you are tagging 888 to the 10.10.23.240/29 network with the switch stack and SRX345, but not with the Peplink?

If the Peplink is doing the routing, devices in each network need to point to the Peplink for their default gateway. In this case 10.10.23.241 (for the VIP) of the untagged LAN, and 10.61.200.253 for VLAN 200.

Hi, Ron_Case,

Thanks so much for your advice.

I tried to untag the Vlan888 in all related switch ports ( Gi1/0/8 pair, Gi1/0/4 pair & Gi1/0/6 pair), but the same result ( failure).

This morning, I captured the following from CLI ( base on the above configuration, no any change), (and MAC addresses are modified):

Peplink test541×858 14.9 KB

What does “incomplete” means ? ( meaning the path is not completed ? )
Strangely, I can not see the IP = 10.61.5.253 ( vlan5 ) which is configured in Peplink ?
Also, I can ping all above IP addresses from SRX345 ( not specifying the source as the following ):

Prd1S345N0> ping 10.10.23.241
PING 10.10.23.241 (10.10.23.241): 56 data bytes
64 bytes from 10.10.23.241: icmp_seq=0 ttl=64 time=1.301 ms
64 bytes from 10.10.23.241: icmp_seq=1 ttl=64 time=9.939 ms
^C
— 10.10.23.241 ping statistics —
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.301/5.620/9.939/4.319 ms

{primary:node0}
Prd1S345N0> ping 10.61.200.253
PING 10.61.200.253 (10.61.200.253): 56 data bytes
64 bytes from 10.61.200.253: icmp_seq=0 ttl=64 time=6.645 ms
^C
— 10.61.200.253 ping statistics —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.645/6.645/6.645/0.000 ms

support traceroute 10.61.200.254
traceroute to 10.61.200.254 (10.61.200.254), 30 hops max, 60 byte packets
1 10.61.200.254 (10.61.200.254) 4.128 ms 3.927 ms 3.897 ms

But ping test failed ( with the specified source ):

Prd1S345N0> ping 10.61.200.253 source 10.10.23.245
PING 10.61.200.253 (10.61.200.253): 56 data bytes
^C
— 10.61.200.253 ping statistics —
2 packets transmitted, 0 packets received, 100% packet loss

Please advice

With many thanks in advance.

Vlan888 is now untagged everywhere, but are the devices connected together with trunk ports and not access ports? It makes sense the SRX345 would not get a reply from 10.61.200.253 when specifying the incorrect interface as the source. The same is true when pinging from the Peplink router as noted in the previous response.

Hi, RON_Case,

Thanks so much for your kind help.

Another test for the inter-vlan routing; I set up a vlan888 interface in the Cisco switch, and can do the inter-vlan routing as below:

61SwPrdL02C29#ping 10.61.200.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.61.200.254, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/11 ms

61SwPrdL02C29#ping 10.61.200.254 source 10.10.23.244
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.61.200.254, timeout is 2 seconds:
Packet sent with a source address of 10.10.23.244
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

This is not goal, anyway.

=======================================

Our real problem is all subnet users can not go to the internet (with Peplink installed), we found traffic can go outside, but return traffic is blocked by the vlan 888 ( so we suspect the inter-vlan routing).

User subnet default route is pointing to SRX345, and the default route points to 10.10.23.241 ( VIP - VLAN 888),

This is the captured we found in SRX345:
Session ID: 1364, Policy name: Internal-to-Internal/4, State: Active, Timeout: 18, Valid
In: 10.61.8.139/49568 → 149.154.167.91/80;tcp, Conn Tag: 0x0, If: reth2.8, Pkts: 2, Bytes: 104,
Out: 149.154.167.91/80 → 10.61.8.139/49568;tcp, Conn Tag: 0x0, If: reth1.888, Pkts: 0, Bytes: 0,

We found no return traffic, any tool in Peplink we can analyze the problem ?

Any problem, thx ?

With best regards
Benson

Hi Benson,

I would recommend getting a network capture from the Balance router support.cgi page to have a closer look. After logging into the Balance, type in this address to get the support.cgi page: http://<Peplink’s IP>/cgi-bin/MANGA/support.cgi

You can download the capture and view this traffic for both LAN and WAN interfaces of the Peplink using Wireshark.

After traffic inspection, static routes are added in peplink for inter-vlan routing…problem fixed.

Thanks so much for your kind help

Hi Benson, I have just acquired a Balance One and am running into exactly the same problem. Being a network enthousiast, not a pro by any means, could you please elaborate a bit as to what you have exactly added?
How do the static routes look like?
Isn’t adding a static route the same as allowing all inter-VLAN traffic?
Thanks!