unable to access ips on vlan after changing Gateway/dns
-
@comet424 said in unable to access ips on vlan after changing Gateway/dns:
so if ungray the 2nd allow i have
well that would allow it to resolve pool.ntp.org, your pointing it to pfsense for dns - that 192.168.10.1 address.. But you have no rules to allow dns other than that allow all rule.
If all you want is for them to be able to sync time.. And not the actually use the internet. Might be better to just point them to pfsense IP for ntp. Then they need no dns nor any internet access at all.
But from your screenshot - they don't allow just putting in an IP for ntp server?
-
@johnpoz
ah ok. ya for now only want it to sync time no internet.. it does sync the time if i enable my 2nd line i have that opens up everything... so i figured maybe its really not on port 123?the cameras do have "custom" under ntp server and you can enter a ntp server
do i use 192.168.10.1(camera network) or do i use 192.168.0.1 main address to pfsense?
oh and to get the pool.org id have to add dns port then you were meaning
-
i tried 192.168.0.1 and 192.168.10.1 it says succeded..
are both ok or is 1 the proper way to do it
-
@comet424 Just point it to pfsense IP on the camera vlan, 192.168.10.1 now you don't need any dns, and you could change your ntp rule to only allow to 123 udp on camera vlan address.
Either work because your rule for 123 allows it to go anywhere. But if your looking to block all access to anything other than ntp, only the pfsense IP on that vlan really needs to be allowed.
-
oh ok so get rid of the rejects then? and i can fix that ill point all to 10.1
i have one last question for now with these camears
when i orginaly plugged them in they were all dhcp and host name came up with camera as the host name
i edited each one and set static ips
and i changed each name to like cam1 cam2 cam3 cam4
but it shows up blank now... is there something to run to force pfsense to get the host names.. i know doesnt matter for such a small amount of cameras but would be nice if it show up cam1 cam2 like it did when it was showing up camera as the host nameany special trick? or is a port i need to open like the 123 ntp
-
@comet424 said in unable to access ips on vlan after changing Gateway/dns:
i edited each one and set static ips
You set this were - on the camera or via a dhcp reservation?
If I look in my arp table stuff I have set for reservations show up with names.
example here are my alexas that all have dhcp reservations to always get the same IP.
If you want stuff that you setup static on the device to show up with a name, you could always just create a host override in unbound for that specific IP, so that it resolves to the name you want, ie cam1, cam2 etc..
But in the long run dhcp reservations are going to be a better option vs settings specific on the device. dhcp reservations would allow you to easy change the ip in the future without having to touch the device. Or change other stuff you might hand out via dhcp, like gateway or ntp, there are lots of options that might be useful to hand out via dhcp - be it your device takes advantage of them or not is another thing. But if you set dhcp reservations vs on the actual device - in the future if you want to change the whole network IP space its as simple as some adjustments on pfsense without having to touch each device. A simple reboot of the device should all that be required to get say the new IP, gateway, dns, etc. And if they are poe, that can be as simple as turning off poe on your switch for a second, etc.
-
@johnpoz i set the names in the Camera itself.. it has a section called "name" and they were all labeled camera
and the dhcp orginally in the arp table labled them "camera"
but i had changed the names in the cameras to
all from
camerato cam1 cam2 so i figured the hostnames would change from camera to cam1 cam2 cam3
but it didnt especially after i did static ipill look up this dhcp reservation.
-
oh ok so dhcp is better
reason i went static incase pfsense goes down then cameras go down too... but then i learned about CARP
but figured if pfsense is down having static camera ips was better? always learning
and is dhcp reservation same meaning as "dhcp static mapping"
-
@comet424 keep in mind that if your dhcp server (pfsense) goes down... The dhcp client just doesn't magically loose its IP. The device should keep its IP for the length of the lease it has left. So unless you rebooted the device its ip should be good for at min 50% of whatever your lease time is.
So say my lease is 2 days.. At 1 day the device would try to renew, and then lease would be good for 2 days again. So even in a worse case scenario and it was like 1 minute before the 50% renewal mark, your devices IP should be good for 1 day even if your dhcp server is offline.
If your lease is 2 hours, then worse case is 1 hour, if your lease is set for 4 days then worse case is 2 days, etc.
Depending on the device it might even survive a reboot with no dhcp server available and still use its last leased IP, etc.
I have never in all the years using pfsense ever seen an issue where dhcp server went down, and the rest of pfsense was working.. Not saying that couldn't happen - but its a pretty minor thing to worry about ;)
-
@johnpoz
i googled an older article about dhcp reservationsin pfsense you click + button on a dhcp status and it adds it to the dhcp mapping but my dhcp leases dont have a + beside them to add them i normally have to manually just copy mac address... was this + add button removed?
ah and ther reason about pfsense going down.. for around 118 days pfsense was up... but then it started crashing or the network card i dunno.. lost access to pfsense.. reboot no errors..
the on board nic is a realtek and my 4 port card i had in it was a realtek too.. and i remember someone saying realtek not supported by pfsense.. something with the card has an issue i forget... as it was constantly going down.. los of the access to pfsense so i had issues with wifi least i find issues with my TPlink Wifi switchs and plugs they seem to go down as they only dhcp....i not sure how to inscrease dhcp lease longer i think mine set to 1100 seconds
so i replaced the realtek card with a 10gtek card 2 port hoping that s better.. as intel cards on amazon were like 300 bucks for some reason here in canada
-
@comet424 said in unable to access ips on vlan after changing Gateway/dns:
but my dhcp leases dont have a + beside
huh?
What version of pfsense are you using, where are you looking.
That button would be in the dhcp leases table - only stuff that actually got a lease would be seen there, etc.
i think mine set to 1100 seconds
Where did you come up with that number, that is not default - which I believe is 2 hours.. 1100 seconds is like what 18 minutes - why would you have set a lease to such a ridiculously low number?
And you have 300 clients on this network - so you have devices renewing their leases every 9 minutes... That is going to be a shit ton of dhcp traffic for what reason??
-
ive never changed dhcp... so i looked at the arp table.. i guess it is 1200 seconds for static ips and dhcp leases... i never set the 1200 seconds thats the default from when i just set it up i dont even know how you change lease time
all i know is all dhcp and static ips says "Expires in 1195 seconds" is the hightest one i seen so i guessing it defaults at 1200seconds
as for the version i have im running 2.6.0-release amd64 freebsd 12.3-stable
and under dchp leases i have same as you minus the two plus's
so heres my moms dhcp lease under dhcp leases no ++and how do i inscrease the dhcp lease time for lans and vlans then from 1200 seconds default to whatever?
ill check the defaul least time from ur post i just seen ur reply as i replied
-
@comet424 arp is different than dhcp lease time, they don't have anything to do with each other.. I believe the arp cache timeout in pfsense is like 20 minutes.. 1200 seconds.
edit:
yeah that doesn't look right - did you try with a different browser, are you using anything in browser that might block those?
-
@johnpoz ah ok
and my default least time is set blank so guessing thats 7200 seconds
learn something new everyday.. i thought the arp table the expires seconds was the dhcp leases counting down..and ya i dont
have any the 4 icons you got
the 2+ a power button and trashcanhere is a start i know its static ip but doesnt show more... i tried 2 computers and both running Edge and Chrome nothing showing up... Trash cans show up on ARP Table if that helps
-
is there a setting like a toggle switch that enables and disables the ++power button and trashcan?
-
@comet424 static leases (reservations) wouldn't have any of those icons. But something that just got a normal dhcp lease should show them.
Do you have a scroll bar at the bottom - maybe the size of screen or whatever is its just not showing it
-
@johnpoz ah ok
then not working right then as none of the dhcp leases have ++ power icon and trashcanis the power icon for wake up lan?
what i notice too some of the dhcp leases they say they offline but the really online so whats weird
-
@comet424 I think there is some change coming with that.. Yeah these can show offline if they haven't talk to pfsense in a while - and the arp cache has expired..
Only way if pfsense knows if a client is actually online is if it has it in its arp cache. So if the device hasn't need to send any traffic to pfsense in a while, then for all pfsense knows the device is offline.
something is up with yoru display - your statics should at least havve the little pen/pencil thing for editing
-
@johnpoz ah there is is...
thats werid screen is big enough the display area doesnt
so here screen capture of my browswer... so my browswer wide enough the frame is not expanding
-
@comet424 weird - so some sort of browser issue take it then.
So you did have the scroll bar at the bottom then.
edit: do you have hostname or description with long names - that seems to throw off the window sizing.. I have this roomba that name is really long - and think that is throwing mine off a bit, going to set it so that name is shorter and see if that clears mine up and gets rid of the scroll bar at the bottom.
