windows clients can only ping gateway

elliopitas · Jun 1, 2022, 9:29 AM

@stephenw10 said in windows clients can only ping gateway:

So the pfSense LAN interface address only?

yes

stephenw10 · Jun 1, 2022, 12:42 PM

What error do you see if you try to ping some other device on the local subnet?

elliopitas · Jun 2, 2022, 12:35 PM

@stephenw10 said in windows clients can only ping gateway:

What error do you see if you try to ping some other device on the local subnet?

hmm I seen to fixed the local network somehow but i still get a timeout if i ping my other lan or the internet
here's also the routing table

stephenw10 · Jun 2, 2022, 12:53 PM

Do you see that traffic arriving and being passed by pfSense?

Start a continuous ping to, say, 8.8.8.8. Them check the pfSense state table in Diag > States. Filter it by 8.8.8.8 and make sure there are WAN and LAN states.

If there are no states then either that traffic is being blocked (should be in the firewall log) or it never arrives.

A common thing that can present like this is a rogue dhcp server on your network providing a bad gateway. Make sure pfSense shows your test client in the dhcp leases.

Steve

elliopitas · Jun 2, 2022, 11:04 PM

@stephenw10 said in windows clients can only ping gateway:

Do you see that traffic arriving and being passed by pfSense?

Start a continuous ping to, say, 8.8.8.8. Them check the pfSense state table in Diag > States. Filter it by 8.8.8.8 and make sure there are WAN and LAN states.

If there are no states then either that traffic is being blocked (should be in the firewall log) or it never arrives.

A common thing that can present like this is a rogue dhcp server on your network providing a bad gateway. Make sure pfSense shows your test client in the dhcp leases.

Steve
I can see that the device is leased a DHCP address from the server from DHCP leases tab. there are no states or any traffic from the specific client blocked but I did notice some strange entries but they ware there before this issue

login-to-view
I have no clue who 192.168.2.1 client is. and that address doesn't belong to any of my home networks
I only have 192.168.0.0/24 and 192.168.1.0/24

stephenw10 · Jun 3, 2022, 8:48 AM

Check the ARP table if it's locally attached. It really wants to use UPnP though.

If there are no states or blocked traffic from a test client and the error it shows is a timeout where is it sending pings?

You might have something blocking it and not logging like Snort or Suricata maybe?

elliopitas · Jun 3, 2022, 8:48 AM

@stephenw10 said in windows clients can only ping gateway:

Check the ARP table if it's locally attached. It really wants to use UPnP though.

If there are no states or blocked traffic from a test client and the error it shows is a timeout where is it sending pings?

You might have something blocking it and not logging like Snort or Suricata maybe?

it's not in the arp table.
i don't have anything like that. my LAN consists of 2 pfsense routers 4 ubiquity aps, 1 ap and unifi controller running on a raspberry pi

stephenw10 · Jun 4, 2022, 9:04 AM

Run a pcap. What MAC address is it coming from? If that's another router check there to see where it's being routed from.

Steve

elliopitas · Jun 4, 2022, 9:04 AM

@stephenw10 said in windows clients can only ping gateway:

Run a pcap. What MAC address is it coming from? If that's another router check there to see where it's being routed from.

Steve

I get

11:24:12.375776 c8:3a:35:f1:9f:08 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 440: (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 426)
    192.168.2.1.3213 > 239.255.255.250.1900: [udp sum ok] UDP, length 398
11:24:12.483271 c8:3a:35:f1:9f:08 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 440: (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 426)
    192.168.2.1.3213 > 239.255.255.250.1900: [udp sum ok] UDP, length 398

so the mac of the device is c8:3a:35:f1:9f:08 and the mac of the interface its trying to reach is 01:00:5e:7f:ff:fa right?
i cant find any device or interface in my arp and DHCP tables. checked manually some devices too to see if it was them and i can't find a device that matches this mac

johnpoz · Jun 6, 2022, 5:33 PM

@elliopitas said in windows clients can only ping gateway:

01:00:5e

Is a multicast mac your not going to find that in your arp table. But the other one c8:3a:35 is Tenda company, they make networking gear. https://www.tendacn.com/us/default.html


MAC Address Details

Company
    Tenda Technology Co., Ltd.
Address
    Shenzhen Guandong 518057
    CHINA
Range
    C8:3A:35:00:00:00 - C8:3A:35:FF:FF:FF
Type
    IEEE MA-L

elliopitas · Jun 6, 2022, 5:33 PM

@johnpoz said in windows clients can only ping gateway:

@elliopitas said in windows clients can only ping gateway:

01:00:5e

Is a multicast mac your not going to find that in your arp table. But the other one c8:3a:35 is Tenda company, they make networking gear. https://www.tendacn.com/us/default.html
MAC Address Details

Company
    Tenda Technology Co., Ltd.
Address
    Shenzhen Guandong 518057
    CHINA
Range
    C8:3A:35:00:00:00 - C8:3A:35:FF:FF:FF
Type
    IEEE MA-L

ok found the device and fixed it. but still the problem persists

stephenw10 · Jun 6, 2022, 5:57 PM

If everything is configured with the same subnet size then your problem is probably in the switch. That traffic should be going directly between clients. If it's using wifi then check client isolation.

Steve

elliopitas · Jun 10, 2022, 8:07 AM

@stephenw10 said in windows clients can only ping gateway:

If everything is configured with the same subnet size then your problem is probably in the switch. That traffic should be going directly between clients. If it's using wifi then check client isolation.

Steve

Wi-Fi isolation is not enabled, the clients can ping each other on Wi-Fi, and the switch is working fine since the printer and my linux laptop that are also connected to the same switch have no problems.
i will back up configuration and reset the router I cant figure out what else to do

stephenw10 · Jun 10, 2022, 12:39 PM

I wouldn't expect that to make any difference since that traffic doesn't go through the router at all.

If other devices can ping them then they are able to reply. It's almost certainly some Windows issue locally.

Steve

elliopitas · Jun 12, 2022, 3:39 PM

ok so i solved the problem...
idk why I didn't do this earlier but I checked the arp table of the computers that were not working and the mac didn't match my router.
turns out that my brother's switch killed itself and decided to give itself statically the same IP as the router, arp poisoning the network so the computers could only access devices in the same subnet.
idk why this affected only Windows devices