@technoblue Why did you delete the other post??
https://forum.netgate.com/topic/187615/destination-host-unreachable-lan-to-lan

And did you fix the WAN rules?

If you can't ping a device on the same subnet it has nothing to do with a router.
Check your IP addressing and subnet masks.

@technoblue First, delete that rule on your WAN. It's allowing access from the internet to your LAN, ALL access. Not what you want.

As for the Pi, if it's pinging, it's most likely something on the Pi that's blocking access to it. Is it running HAOS?

Just noticed it's not pinging.... that WAN rule has me all flustered. DELETE that NOW!

Assuming that .31 is the laptop, can it ping anything? like the LAN interface IP?

@VMlabman said in Creating passing rules between two physical or virtual interfaces:

way to use ACLs For Mac address

pfSense Plus can do rules like that.
https://docs.netgate.com/pfsense/en/latest/firewall/ethernet-rules.html

https://FQDN:5555

I'm not sure I follow. Is that the NAS address? You can create a rule to access it from a different interface, however, you can't prevent devices on LAN from accessing it, because packets on the same network do not go through the router.

Not sure if the pfsense DHCP is cause of some issue. routing definitely not going through pfsense.

switch port 25 and 26 are connected to VMWare server. switch port 27 is connected to ServerB. switch port 28 is trunk to pfsense.

Screenshots

Resolved | Solved

It was a configuration in the ARUBA AP's own Firewall.

ApplicationFrameHost_4Ypo7mjMwX.png

thanks for the support

@viragomann Understood; So even if i tag all my LAN data from unifi, the network gear them selves are by default all untagged traffic - if I dont have a untagged interface in pfSense, how will the network gear get internet access and talk back to the router.

@Jarhead Awesome Thanks

@tore71 Also, do a packet capture from the Diagnostic menu on each interface while doing a ping from one interface to the other.
Another common problem is software firewalls on the devices themselves. Turn Windows Firewall (or other) off while testing.

Think the LAG between the 2 switches is working as I configured a new AP on the second switch, connected android phone and ran Iperf3 to a Windows PC on switch one. Results on the phone were:-

Transfer 2.00 MBytes
Bandwidth 563 Mbits/sec

This was on wifi 6

This is a similar result to being connected to an exact copy of the AP but on the first switch.

@louis2

At this moment, I see transfer rates between PC and NAS, I have never seem before:

up to 9.5 Gbit from NAS to PC up to 7 Gbit from PC to NAS

Note that the SSD in the PC (Seagate FireCuda 530) is a faster one than SSD''s the one's in the NAS.

@dan2112 no that is pfsense cache, so it doesn't need to arp again - but it should answer all the time.. I am not aware off the top of my head any sort or throttle or security feature that would/should prevent an answer to an arp..

I would prob turn off the name resolution.. Could be some IP resolves to that name, but that not currently pfsense IP so why your not seeing the response? When you don't play with or get into the weeds on something for years and years its hard to recall exactly all the details.. But not seeing anything in your post that would scream to me - hey this is a problem

If you see an arp for some IP, unless it was actually for pfsense IP you wouldn't see the response - because the response would be directed to the specific mac that asked for it and not a broadcast.

And seeing a bunch of arp is not indicative of problem - its possible some device is asking for arp every like 2 seconds.. Not sure if pfsense would answer every single one of those, or if maybe there is something that says hey buddy, I just answered you like 2 seconds ago, give it at least X before going to bother answering you again..

Its quite possible there is such thing - but off the top its not coming to me of such mechanism or what its limitations or settings or timeouts might be.

But out of the box pfsense caches in arp for 20 minutes.. You should see pfsense arping for stuff in its cache until it has expired..

edit: so I took a bit of capture, and see every time something arps for pfsense IP .4.253 it does reply - those other arps are not for pfsense so you wouldn't see the response... But now I am curious exactly what those IPs are and why they are arping for other IPs ;) Off the top of my head I am not sure what specific IPs those are - but that is my psk vlan, and that is where all my lightbulbs and other iot stuff is like my alexas and stuff. And I know I put in some replacement bulbs and might not have reserved specific IPs for them as of yet.

arpreply.jpg

edit: ok 77, 76, 78 etc.. those are my alexas for example - and that .91 is one of my smartplugs I used for my xmas tree.. Which is currently offline.. hehe So yeah alexa keeps looking I take it - should prob go into alexa and disable any smartplugs and such that I don't always use ;)

haha - yeah should prob disable these until I need to use them next xmas..

plugs.jpg

@JKnott said in Can't completely isolate one laptop from the lan:

Wouldn't that isolate only wireless devices, leaving the rest of the network open?

Yeah, client isolation is only one piece of a solution. (But it's a necessary piece if you don't want clients on the same SSID to be able to contact each other.) Once you get off the AP, you need VLANs or some other idea to block traffic to other devices.

@the-other said in VLAN's, what to do with "default LAN" ?:

Now, I read that (as mentioned above) for security reasons it ist not recommended to have clients or productive data running on that default VLAN.
So, everything is in its VLAN here.

If you're sending different VLANs to the various rooms, then you're using a managed switch to make the VLAN the native LAN to that room. Users in that room will never see the original native LAN from pfSense.