strange, can access device if dhcp allocated, but not when reserved
-
Hi there
I realise/know what you saying... same vlan must be able to talk to each other... not arguing... but what i am def having is when I do a dhcp reservation for the MAC address inside my reservation block then I can't access the device, if I allow it to get a IP itself from the DHCP service then I can...
I did say to start with this is strange...
For now it's working, will fault find this later.
G
-
@georgelza are you using kea - and reservations are not working? And your devices gets nothing so ends up with an IP of 169.254?
Just look in your log is an IP given out.. Look on your device what is the IP, what is the mask - if devices are on the same network - how the device got the IP means nothing.
-
@johnpoz I was using KEA, I've been suggested to use ISC. switched over.
At the moment... My 2 Wifi networks are
vlan20 : tinman -> 172.16.20.0/24 with DHCP managed 201->250
vlan100 : tinmaniot -> 172.16.100.0/24 with DHCP managed 201->250lan is 172.16.10.0/24
if I allow device join SSID and get a address itself then i can reach it, apply to both.
if I dhcp reserve a ip based on MAC then i can't access device... device has internet access though as i can connect keyboard/scree/mouse and ping my gateways, i can do a apt-get update / upgrade,this even applies when the devices are told to join vlan20, which is also the vlan on which my Mac sits, from where i work.
G
-
@georgelza said in strange, can access device if dhcp allocated, but not when reserved:
if I dhcp reserve a ip based on MAC then i can't access device... device has internet access though as i can connect keyboard/scree/mouse and ping my gateways, i can do a apt-get update / upgrade,
Several things here.
Explain 'access the device' ? Access how ?
You an touch it, use it, it has "Internet" etc.
Do you mean : other devices can't access it ? Are devices on the same LAN ? Other LAN ? Elsewhere ?
Every device has also its own firewall. Have a look at it ... ;)Example, If you have two PCs, PC A and PC B on the same LAN network, and PC A can't access PC B, then you can stop looking at pfSense, as traffic from A to B is never even seen by pfSense. And pfSense can't blocked what it doesn't 'see' ^^
Go interrogate PC B, hint : it has a firewall for sure.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@georgelza said in strange, can access device if dhcp allocated, but not when reserved:
vlan20 : tinman -> 172.16.20.0/24 with DHCP managed 201->250
vlan100 : tinmaniot -> 172.16.100.0/24 with DHCP managed 201->250So your devices are not on the same network? Or they are both the same vlan? Or are they on the lan?
So yeah what exactly do you mean by access? And what IPs do the devices get? Can you not access them by name or IP - can device A ping device B ip address.. Lets see the details of each devices IPs if windows it would be ipconfig /all
Not sure what it would be on mac device? But if you have nmcli you can get the info using that.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@georgelza said in strange, can access device if dhcp allocated, but not when reserved:
if I allow device join SSID and get a address itself then i can reach it, apply to both.
if I dhcp reserve a ip based on MAC then i can't access device...Just to be clear in both situations the device pulls an address.subnet/gateway via DHCP. The only difference is whether that is a static mapping in the DHCP server?
Or are you actually setting it statically on the device when you reserve the IP?
-
Just to be clear in both situations the device pulls an address.subnet/gateway via DHCP. The only difference is whether that is a static mapping in the DHCP server?
both pull... via dhcp, as you said one is reserved based on mac address and then handed out on request, for the other there is no reservation so it gets one from the dhcp pool
no static config on device.
G
-
@Gertjan said in strange, can access device if dhcp allocated, but not when reserved:
Several things here.
Explain 'access the device' ? Access how ?
(/post/1200985)ssh
pingYou an touch it, use it, it has "Internet" etc.
it has outbound access which implies it knows where the gateway is at least, network is correctly configured.
Do you mean : other devices can't access it ? Are devices on the same LAN ? Other LAN ? Elsewhere ?
both same lan and different vlan.
Every device has also its own firewall. Have a look at it ... ;)
Raspberry pi's with Rasbian, no FW on device configured. vanilla deployment, if there was a fw then it would also be blocking me when i dynamic dhcp assign, if it was fw then it would prob have worked when client on same land/vlan and block when not. it's blocking irrespective of client/my mac.
Example, If you have two PCs, PC A and PC B on the same LAN network, and PC A can't access PC B, then you can stop looking at pfSense, as traffic from A to B is never even seen by pfSense. And pfSense can't blocked what it doesn't 'see' ^^
Go interrogate PC B, hint : it has a firewall for sure. -
@georgelza said in strange, can access device if dhcp allocated, but not when reserved:
both same lan and different vlan.
Then its a firewall issue on that device.
You have to allow ICMP so it can receive ping packets - and it will reply.
You have to allow SSH (port 22 TCP) incoming connections.edit : This behavior is more normal then you think.
Connect a Microsoft Windows device to your network for the very fist time and you'll see worlds worst understood question : Private our Public network ?
If you have chosen Public, then that Microsoft Windows device will only accept traffic coming from the local gateway and nothing else.
Solution : go Private (or trusted) ;) as you can (normally) trust your own LANNo "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@johnpoz said in strange, can access device if dhcp allocated, but not when reserved:
Not sure what it would be on mac device? But if you have nmcli you can get the info using that.
Mac as in MBP, Macbook pro... not MAC as in MAC address, sorry should have been clearer.
G
-
@Gertjan said in strange, can access device if dhcp allocated, but not when reserved:
Then its a firewall issue on that device.
Rasbian does not come with configured firewall.
the only difference being able to ping device and/or ssh onto device is changing how the ip is assigned.
1 . dynamic dhcp out of pool
2. static assigned via dhcp reserve based on mac address. -
@georgelza lets go over some basic information on how devices on the same network talk to each other.. This might clear up how pfsense has zero to do with devices on the same network, and why at makes no difference if IP is from pool or reservation..
device A 192.168.1.100/24
device B 192.168.1.200/24
device C 192.168.2.50/24So device A wants to talk to B.. It says oh that .200 is on my /24 network - let me arp for what mac .200 has.. If it gets an answer from B that its mac is say abc..
then it sends its traffic to mac abc.. If it gets no answer then it can not send traffic - pfsense has zero to do with this.
If B wants to talk to A - same process.
If A wants to talk to C - oh that IP is not on my network.. I will send that traffic to my gateway (pfsense).. So if the mac of its gateway is not in its cache it will arp for its gateway IP, once it has the mac it will send the traffic for 192.168.2.50 to the mac of the gateway - lets say that is xyz - pfsense will see traffic to its mac (xyz) and say oh this traffic wants to go to 192.168.2.50 - i know how to get there and my firewall rules allow it.. And will send the traffic on.
In no scenario is pfsense involved in A talking to B - and A or B don't care how they got their ip - be it from some pool, or from some reservation or if the IP was set static on the device.. If the devices are on the same network pfsense is not involved, nor does it matter what IPs each device has as long as they are on the same network.. Is one of the clients getting the IP of some other device on your network? Ie a duplicate IP?
lets see the IPs your devices are getting when they can not talk to each other.. And lets see the arp table of these devices after you try and talk to the other device.
Here is me pinging device on my network.. See its mac, I can validate this is the mac of the device on that device.
If can not ping - does it get a mac? Is the mac correct? pfsense has nothing to do with this at all.
Here is mac of that 9.10 device
-
@johnpoz said in strange, can access device if dhcp allocated, but not when reserved:
@georgelza lets go over some basic information on how devices on the same network talk to each other.. This might clear up how pfsense has zero to do with devices on the same network, and why at makes no difference if IP is from pool or reservation..
device A 192.168.1.100/24
device B 192.168.1.200/24
device C 192.168.2.50/24So device A wants to talk to B.. It says oh that .200 is on my /24 network - let me arp for what mac .200 has.. If it gets an answer from B that its mac is say abc..
then it sends its traffic to mac abc.. If it gets no answer then it can not send traffic - pfsense has zero to do with this.
If B wants to talk to A - same process.
If A wants to talk to C - oh that IP is not on my network.. I will send that traffic to my gateway (pfsense).. So if the mac of its gateway is not in its cache it will arp for its gateway IP, once it has the mac it will send the traffic for 192.168.2.50 to the mac of the gateway - lets say that is xyz - pfsense will see traffic to its mac (xyz) and say oh this traffic wants to go to 192.168.2.50 - i know how to get there and my firewall rules allow it.. And will send the traffic on.
And I do know the above, I said this is strange...
In no scenario is pfsense involved in A talking to B - and A or B don't care how they got their ip - be it from some pool, or from some reservation or if the IP was set static on the device.. If the devices are on the same network pfsense is not involved, nor does it matter what IPs each device has as long as they are on the same network.. Is one of the clients getting the IP of some other device on your network? Ie a duplicate IP?
lets see the IPs your devices are getting when they can not talk to each other.. And let's see the arp table of these devices after you try and talk to the other device.
when dynamic dhcp assigned on vlan20 (tinman ssid) it gets random 172.16.20.200+ up to 250, happens to be 172.16.20.206 in this case.
when i dhcp reserve it's based on mac address... => 172.16.20.83
my MBP sits on 172.16.20.29 for reference.
when dynamic assigned i can ssh to device and i can ping device, when assigned using dhcp reserve then i can't... even though the device have network/internet access so network wise its correctly configured.I simply came here as most guys here know network well... and might have had a idea/seen this before... not to worry...
had this on multiple raspberry pi devices, even reimaged 2 of them.
-
Do you have more than one reservation for said device? On your various VLANs?..
I have seen in the past where a device will grab the address from the wrong VLAN..
-
@georgelza if you know how this works - then troubleshoot what is going on.. If you know this, then you should know what your saying makes no sense at all..
So lets see the details so we can figure out what is actually going on - because an ip from pool or reservation or static has zero to do with it. ZERO!
Maybe you have a duplicate IP issue? maybe you have a firewall issue where only specific IPs are allowed? But dhcp pool/reservation or static has zero to do with the problem.
Devices either have IPs that are on the same network - or they don't, doesn't matter how they got those IPs
-
Mmm, there must be something different about the lease it pulls with the static mapping. And what makes most sense is that it has the wrong subnet mask. That should be easy enough to see on the device itself though.
Otherwise I would be running packet captures wherever you can to see what is actually being sent.
-
@stephenw10 but you can not adjust the mask in a reservation. It would make no sense that is an option even.
-
Mmm, good point!
Still feels like a subnet mask issue somewhere though. Especially if the dynamic lease is still in the 2-128 range whilst statics are all >201.
-
@stephenw10 not out of the realm of possibilities - but working with limited info.
But without some details - what I am going to say generally is what the OP is saying is just not possible.. Unless he is reserving an IP for this device where this IP already exists on the network.. Or there is some firewall rule on device that only allows specific IPs.
But handing out .x or .y on a network be it next one in the pool, or reserved for client A isn't the problem
Now if user set the IP on the device directly - then yeah mask could be for sure a common problem that happens.
-
I mean it could be the device testing from has it set incorrectly. Just seeing IPs from two halves of the /24 like that (assuming it is) screams subnet mask to me.
