Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate SG-3100 "bans" access point

    Scheduled Pinned Locked Moved Official NetgateĀ® Hardware
    29 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gich
      last edited by

      I have disabled all packages.
      At the moment it's the most simple setup of pfsense.

      Cables are fine, if I plug a notebook it work without a problem.

      I can't find anything relevant in any log.

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @gich
        last edited by

        @gich If there's nothing in the logs showing things blocked (check the Firewall log specifically) then it's the hardware that's the issue -- and that I mean the Archer AX10.

        What can you do? Can you ping anything when on the wifi (I presume that's how you're connecting)? Can you ping the Archer?

        When the Archer is misbehaving can you ping it when you plug directly into the switch ports on the 3100?

        What version of pfSense are you running?

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        1 Reply Last reply Reply Quote 0
        • G
          gich
          last edited by

          While it's "banned" I can access the Archer only directly: via any of its ethernet ports or from its WiFi.
          It keeps its assigned ip (assigned from pfsense), unless I restart it.
          From the rest of the net it's just dead.

          I got 22.05-RELEASE.
          Archer is also on its latest firmware.

          R 1 Reply Last reply Reply Quote 0
          • R
            rcoleman-netgate Netgate @gich
            last edited by

            @gich Please connect to another LAN port on the 3100 and try to ping the Archer and the pfSense LAN IP.

            Assuming you set up VLANs on all the ports on the 3100 switch you can move ports.

            Try swapping out cables.

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            G 1 Reply Last reply Reply Quote 0
            • G
              gich @rcoleman-netgate
              last edited by

              @rcoleman-netgate The two aren't directly connected. There is at least an unmanaged switch in the middle.
              Anyway tested different ports and cables.

              I think I'll move the Archer to a friend house, to test it with another router.

              R 1 Reply Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @gich
                last edited by

                @gich Remove the unmanaged switch, then, too.

                Troubleshooting includes replacing and swapping all things. There could be an ARP storm caused by the switch that is only effecting your AP.

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                G 1 Reply Last reply Reply Quote 0
                • G
                  gich @rcoleman-netgate
                  last edited by

                  @rcoleman-netgate I thought something that simple would be less likely to cause any problem.
                  It has a lot of things connected to it.
                  Anyway I'll try to bypass it.

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rcoleman-netgate Netgate @gich
                    last edited by

                    @gich There are 4 LAN ports on the 3100. If they're not changed from the default LAN interface you can plug into any of them.

                    But to state the 3100 "bans" a device that is multiple links down the chain is not likely at all. there would be a record in the system somewhere... unless the device in the middle is the one that is losing its place. MAC table corrupted, maxed out, ARP storm, switch is failing, etc.

                    The "simple" things are the ones most likely to cause a problem when they meet a challenge because they're simply not geared towards the expectations and performance of an active network. A cheap 8-port switch might have a 1k MAC table and that can fill in minutes or hours depending on how much is happening.

                    Ryan
                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                    Requesting firmware for your Netgate device? https://go.netgate.com
                    Switching: Mikrotik, Netgear, Extreme
                    Wireless: Aruba, Ubiquiti

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      gich @rcoleman-netgate
                      last edited by

                      @rcoleman-netgate But it's not a new setup, everything is in place for more then 18 months.
                      I find odd that the thing that does the less complicated job starts to misbehave.
                      I thought since pfsense is the more complex piece, it was the most likely to have something gone wrong.

                      Anyway, I'll try that to be sure.

                      R J 2 Replies Last reply Reply Quote 0
                      • R
                        rcoleman-netgate Netgate @gich
                        last edited by

                        @gich And hardware can (and will) fail. I would consider trying to reboot the intermediary switch next time instead of the pf and see if that resolves the issue.

                        Ryan
                        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                        Requesting firmware for your Netgate device? https://go.netgate.com
                        Switching: Mikrotik, Netgear, Extreme
                        Wireless: Aruba, Ubiquiti

                        1 Reply Last reply Reply Quote 0
                        • J
                          Jarhead @gich
                          last edited by

                          @gich said in Netgate SG-3100 "bans" access point:

                          @rcoleman-netgate But it's not a new setup, everything is in place for more then 18 months.

                          I love when people say that. I must hear it 4 times a week.
                          I've been in the electronics field all my adult life. One thing never fails, you can take a piece of electronics right out of the box and have a resistor blow, or it could run "for 18 months" and have a resistor blow. Ya just don't know.
                          I always tell them, all electronic devices runs on smoke, once you let the smoke out, it won't work anymore! 😁

                          G 2 Replies Last reply Reply Quote 1
                          • G
                            gich @Jarhead
                            last edited by gich

                            @jarhead The switch has 7 more things plugged that have no problem.
                            I'm not saying it can't be the one that failed, but it's not at the top of my list.
                            I mean, if it was failing I'd expect something more noticeable.

                            Restarting the switch did nothing.

                            Chronologically the last change was the update to pfsense, so that's why I'm here.

                            1 Reply Last reply Reply Quote 0
                            • G
                              gich @Jarhead
                              last edited by

                              @jarhead Also remember that restarting pfsense, does put the Archer back in the game.
                              That's why I'd not focus elsewhere.

                              R 1 Reply Last reply Reply Quote 0
                              • R
                                rcoleman-netgate Netgate @gich
                                last edited by

                                @gich Without being willing to accept that something else might be causing the technical issue, or trying to do the recommended troubleshooting, will tend to others abandoning their attempts to assist you.

                                Ryan
                                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                                Requesting firmware for your Netgate device? https://go.netgate.com
                                Switching: Mikrotik, Netgear, Extreme
                                Wireless: Aruba, Ubiquiti

                                G 1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  The only thing in a default pfSense install that could present like this is the sshgiard login protection.
                                  When it appears to be 'banned' check Diag > Tables and look for any entries in the sshguard table. If the AP IP is shown there that would do it. It would get 'unbanned' after some time though.
                                  Also that would only affect other devices connected to the AP if it was acting a as router and NATing all the traffic from wifi clients.

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    gich @rcoleman-netgate
                                    last edited by

                                    @rcoleman-netgate Did you miss the "I'll try that to be sure" ???
                                    I was explaining why I was pointed in another direction.

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      There are some tests we can do to be sure. It 'feels' like a rogue dhcp server or IP conflict though.

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        gich
                                        last edited by

                                        So I tried to connect directly to the Netgate via another port. Nothing.
                                        Then I removed the static ip on it and, while I was looking around, I had a glimpse on the ARP table of a "incomplete MAC".
                                        WTF is that? Busted port? But it works when I connect the notebook.

                                        So since it was already planned: moved the Archer to a friend house, very basic setup, and it works fine for hours.
                                        While this was going on I resetted the Netgate and reloaded the configuration just backupped.
                                        Archer is back at home where it was before and going strong all night.

                                        Early to tell if this is definitive, since it might have worked for that long before, but I'm hopeful.

                                        Still no idea if the "incomplete MAC" was real or a dream and what that might mean.

                                        johnpozJ stephenw10S 2 Replies Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @gich
                                          last edited by

                                          @gich said in Netgate SG-3100 "bans" access point:

                                          Still no idea if the "incomplete MAC" was real or a dream and what that might mean.

                                          Means it arped but didn't get an answer, like this if i ping an IP that is not actually there

                                          ? (192.168.9.33) at (incomplete) on igb0 expired [ethernet]

                                          There was no answer to the arp, so its incomplete.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator @gich
                                            last edited by

                                            @gich said in Netgate SG-3100 "bans" access point:

                                            So I tried to connect directly to the Netgate via another port. Nothing.

                                            Ah, so you were unable to connect to the 3100 at all when this happens?

                                            I assume you tried only one of the other LAN ports? The AP is connected to a LAN port also?

                                            If you have not yet enabled the OPT port for local access I would do that. You can then try to connect via that and it doesn't rely on the on-board switch config. One thing that could explain a layer2 failure like this is of the switch config is changed somehow.
                                            You can easily check that by running at the command line: etherswitchcfg
                                            But to do that you need to have access to the 3100. The OPT port would give you that but you could also use the console directly.

                                            Steve

                                            G 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.