Why am I not able to ping between these subnets?

Hi,

I am having issues with routing between two subnets in VMWare Workstation.

I have created three VNets.
VNET1 : 139.219.1.0/24
VNET2 : 139.219.2.0/24
VNET3 : 139.219.3.0/24

On the VyOS router I have assigned.
etho : 139.219.1.1/24
eth1 : 139.219.2.1/24
eth2 : 139.219.3.1/24

Everything works fine from there and I can successfully ping each of the interfaces.

Then I have added a guest to each subnet and given them an IP address and GW.

But when I log onto one of the guests and try to ping the one in the other subnet I get a failed attempt and vice versa.

What could be going wrong?

Here is my topology

Thanks

Try with firewall on local hosts disabled. By default, windows blocks ping from outside its own subnet.

I’m having the same issue, but with different subnets of course. I’m very new to ‘understanding’ networking, but familiar with the concepts at a high level.

Doing “show ip route” indicates the subnets are all directly connected through their own interfaces. Given that routing should just work at that point, I’m guessing it might have something to do with firewalls, but I don’t understand the flow of packets enough to know which firewall might be in the way?

Specifically, I’m trying to use debian/nginx 10.54.1.51 as a proxy for homeassistant 10.54.2.51, but I can’t ping either way or from a couple of other subnets with an assortment of devices/operating systems.

@midirouter Are you able to ping those windows hosts from Vyos router?
See if you can find arp for vyos IP addresses? if not a link issue

Ideally this is a very simple topology and should not be an issue at all. If you are unable to ping from router itself to the hosts then it could be an assignment of interfaces in vmware.

@blason if you don’t mind me jumping in I’d love to keep this conversation going and hopefully it will help @midirouter when they log in next.

I can ping from Vyos to anywhere and everywhere without issue. “arp -a” on windows and debian both show me the addresses on their current subnet (including Vyos) but nothing outside that.

So you can ping Vyos but how about pinging hosts from Vyos? As suggested @16again then it might be windows firewall dropping packets? Or do you have any VPN client installed? I was troubleshooting on other day and observed that I had Fortinet remote access vpn client installed which was blocking PING. (Just a throught)

Yes, I can ping from Vyos to hosts and from hosts to Vyos.

No VPN stuff at this stage, might add Wireguard or Zerotier down the track but not going there until I’ve got a better handle on the base system.

May be then configuration would help in locating an issue.

show configuration commands

Thanks… I’m out of my depth here with regard to firewalls/zones. At what point do packets get inspected/filtered when traversing subnets? Do they effectively go from LAN1-LOCAL then LOCAL-LAN2 and those are the 2 firewalls that need to be inspected/configured?

Edit: I’ve looked a bit more into this and wondering if the problem is that my subnets are all in different vLANs, managed upstream of Vyos by the hypervisor and unifi hardware. Do I need to use vifs in Vyos rather than tagging the interfaces in the hypervisor, or is this possibly what statitc routes are for?

Possibly you may need to verify Vlans however by default there are no firewall rules applied at all unless and until you explicitly do so.

Hi 16 again,

I thought about that too and I disable the local firewalls. But that still didn’t work.

Try dump incoming and outgoing traffic:

sudo tcpdump -ni ethX.Y

Also, provide your configuration.

1 Like

That would help for sure to analyze the packets.

Thanks both. I’ve attached a sanitised config for Vyos.
vyos.txt (7.2 KB)

Running tcpdump -ni icmp on eth1 and eth2 in the attached while trying to ping from 10.31.0.51 to 10.31.20.51 appears to show the packet hitting the router but no reply of any kind… perhaps it is being dropped somewhere? There is nothing showing on eth2 at all.

Zone police zone 20LAN has no ruleset attached, allowing traffic from 00LAN

As pointed by @16again , there are no firewall rules for interzone 00LAN-20LAN and 20LAN-00LAN.

Of course… it makes sense now and is working perfectly. Thank you all for persevering with my limited understanding of this, none of the ‘Vyos for dummies’ guides I found stepped through the dual LAN setup options

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.