ARP Table and Internet Issue
-
@johnpoz so currently,
WAN - Connected to Modem
LAN - Connected to Router (WiFi)
OPT1 - Connected to my desktop
OPT2 - EmptyHere's the sample config that I am using: sample config file
-
@yupq6wlc79ts said in ARP Table and Internet Issue:
OPT1 - Connected to my desktop
And again - you show no OPT1 interface at all..
-
@johnpoz No
WAN - Connected to Modem
LAN - Connected to Router (WiFi)
OPT1 - Connected to my desktop
OPT2 - Emptyis what I see currently plugged into...
-
@yupq6wlc79ts that is fine then.. So your desktop connects to opt3?
Or opt2 - I show opt2 up (the green arrow) but you have no IP set on it - so did you bridge this to lan?
-
-
@yupq6wlc79ts Why do you have everything bridged?
But your setting an IP on opt3?
So you got something going on where traffic from your lan which you have bridged to all your interfaces.. and your opt2 are connected together and your seeing an answer (arp) on both interfaces.. You have a loop somewhere would be my guess.
But in that xml you sent - there is no setting showing that 192.168.3.1 address.
It would be impossible for pfsense to see an arp for your desktop if plugged into optX on the bridge and also seeing it on lan, unless you a loop somewhere.
-
@johnpoz so the 192.168.3.1 is what I added later to segment some of my network traffic.
@johnpoz said in ARP Table and Internet Issue:
It would be impossible for pfsense to see an arp for your desktop if plugged into optX on the bridge and also seeing it on lan, unless you a loop somewhere.
How/Where can I find that "loop"? I don't think I have created any loop (or may be did it by mistake?)
-
@yupq6wlc79ts need to see exactly how you have this connected
You say your wifi is on lan.. But your pc has no wifi.. The mac you showed in your censored document looks like that is the same mac.. So something on your network looped or answered that arp? Do you have any other sort of anything on your pc, like a bluetooth connection to sonos speakers or something else on your network what would bridge.
In a normal network, networks are isolated at layer 2. It is not possible for traffic to be seen like you show. Unless there is a loop or bridge that connects the 2.. Even if your pc had wifi and wired, the macs would be different that :39 you show, wifi would be something else.
Did you maybe move your laptop from one connection to the other? Say plugged into your wifi routers port, and then plug it into pfsense port? The expired time on the arps are 130 seconds different. So that seems to far apart to be a loop to be honest. But if you moved your pc from say port on your wifi router that is on lan, and then to another port on pfsense (opt2) That would explain what your seeing for sure. Because the other arp didn't expire yet..
-
@johnpoz so what you said last might be the case.
I initially created 192.168.3.1 on OPT3 to segment the traffic, that is where my PC used to connected to.
I then needed to be on 192.168.1.1 so I needed to change my OPT. Since my WiFi is on LAN, I connected my pc to OPT1 (which is OPT2 in the pfSense?)
So, from that point, shouldn't the ARP expire at some point? It just keeps coming back...
And yes, the MAC are the same for my PC in both, LAN and OPT2.
Currently, everything is working fine because all I see in ARP is LAN & WAN.
The issue arises when I restart my pc, then ARP will have LAN, WAN and OPT2 for some reason.
-
@yupq6wlc79ts said in ARP Table and Internet Issue:
I initially created 192.168.3.1 on OPT3 to segment the traffic
But you left it in the bridge.. not good setup.
Arp will expire, default is 20 minutes I believe in pfsense.
Doing something like this
Could for sure cause exactly what you were seeing.. When your wifi router is being used as AP. If it was natting ie in router mode, this wouldn't happen, because the only mac pfsense would see from anything connected to the wifi router be it wifi or wired would be the mac of the wan interface on the router.
So if you do something like that in the future - you can flush pfsense arp cache.. See the clear arp table button on the bottom of the listing. Or you can delete specific ones with the little trashcan symbol.
If you want to isolate your pc from your lan, then you need to remove the interface your going to connect to out of your bridge. I personally would really never bridge on pfsense interfaces. If you want more ports in a specific network - then get a switch..
The issue arises when I restart my pc
Restarting your PC wouldn't flush pfsense cached arp entry from it, if it was plugged into your wifi router, and then you moved it - be it your restart your pc or not wouldn't matter. Once pfsense saw that mac on your lan, its going to sit there until it expires or you flush it.
-
@johnpoz one thing to note is, this pc has never connected to wifi (lan port in this case via router).
To your point, I did remove/delete and entry in the arp and also cleared the arp table, it works...until I restart my machine.
I can factory default it and start again...let me ask you this, the sample file I shared, would you recommend that config? (the one without 192.168.3.1 setup?)
-
@yupq6wlc79ts no I wouldn't - you have everything bridged in that xml.. I could never in good conscious ever recommend a bridge setup.. Unless there was a specific technical reason for it. You need different media types to be on the same network, and the only device that has both media types, say fiber and ethernet is the pfsense. And even then that would be a temp solution until you got a media converter ;)
If you need more ports, then get a switch. If you want switch ports on your pfsense box, then get an appliance that has switch ports in it.
I only skimmed that xml real quick to see if you had bridge setup. And it clearly isn't your actual config anyway because there is no 192.168.3.1 in that xml.
Clearly there is pieces missing here. But I see no way if your pc is only connected to optX, and your arp table on pfsense only shows it on the optX interface... Restarting your pc in no way shape or form could have the arp show up on your lan interface. Especially 130 seconds apart.. If there was a loop, then they would be at most like 1 second apart. And even then it would prob have to be because arp was seen just before the second changed, a loop of traffic would be in the ms.. Not 130 seconds.
-
@johnpoz ok, let me sanitize my actual xml and send it, it may give you an idea of my current setup?
-
@yupq6wlc79ts no offense but have no desire to comb through some xml looking for what you have described and shown already.
What exactly are you wanting to know. You have a bridge setup - not something I would recommend.. Have no idea why would even need such a setup, just use the switch ports on your AP for stuff you want in the lan. If you want to isolate stuff, then create a new network on one of your interfaces.
It not possible for you to see what you shown with your PC mac being in seen on 2 different interfaces unless it was bridged elsewhere on your network or you moved your pc. We have already determined that you did.
Now reboot your pc while it connected to optX.. Lets it just not possible for its mac to show up on the other interface - unless you have a bridge outside of pfsense. Which would have nothing to do with your pfsense config.
-
@johnpoz Thank you so much for your help and providing insights, this was very helpful. I'll have to re-think my current setup based on what you mentioned but I have a good start now, again, thank you for your help.
-
If you are going to use a bridged setup like that it's better to assign the bridge interface itself and put the static IP and DHCP server etc onto that.
https://docs.netgate.com/pfsense/en/latest/bridges/interfaces.htmlSteve
-
@stephenw10 agreed, but I would argue its never "better" to bridge ;) hehehe
Not saying it doesn't have use cases.. But it should be the last freaking choice, and only as a stop gap measure until you can get the equipment needed not to do it ;)
If I was out of switch ports, and I could not disconnect something - and I had an extra port on pfsense. I would still prob just bring that up on its own network.. If I HAD to have it on the same L2 as xyz.. ok then setup a bridge. But this would only until I could either disconnect something and free up the switch port. Or my order for another switch or bigger switch came in ;)
Even in that scenario - I would most likely look for something I could move off the switch to an interface on pfsense that could be another network. So I could put this thing I needed on network xyz on the switch ;)
-
S stephenw10 referenced this topic on
