I can't ping, trace or access my pfSense from half of my network.

maxmouse · Jun 18, 2014, 2:58 PM

Hi everyone, I need some help here.
I want use more host in my network, so I'm moving from /24 to /23, so far so good, except for one reason, I can't ping, trace or access my pfSense from half of my network.

Here the thing, I have LAN interface as 192.168.0.0/23 and every host with 192.168.0.x can ping, but the other half of the network with 192.168.1.x can't.

What I'm missing? any help would be great!

PD.
I suspect is something dumb, I can tell you that all my services are working fine. All the hosts in .1.0 can ping and use other servers in .0.0

dreamslacker · Jun 18, 2014, 4:22 PM

Do these hosts have static IPs configured?

If so, you will need to update the subnet mask accordingly.

If you're using a separate DHCP server for these machines, have you also updated the DHCP server's issued subnet settings as well?

maxmouse · Jun 18, 2014, 5:34 PM

Thank you dreamslacker

Do these hosts have static IPs configured?

I have both, and same result with static and DHCP. With the change in the netmask, the DHCP range changed automatically, and all my leases are updated.

If you're using a separate DHCP server for these machines, have you also updated the DHCP server's issued subnet settings as well?

Noupe, my DHCP is my pfSense.

Honestly I'm lost here, this shouldn't be that hard. :'(

I already tried to change pfSense's IP and same result, maybe some log could bring me in right direction.

KOM · Jun 18, 2014, 5:40 PM

Can you provide some hard numbers just to verify what you have set? What is your pfSense LAN IP and netmask/CIDR? For the machines that have problems, what is their netmask set to specifically?

maxmouse · Jun 18, 2014, 5:57 PM

Thanks KOM,
Of course!

What is your pfSense LAN IP and netmask/CIDR?

192.168.0.1/23

or the machines that have problems, what is their netmask set to specifically?

I have problem with any machine configured like:

192.168.1.x/23

For example I have a mail server in 192.168.0.5/23 and a web server with 192.168.0.4/23 and they're working fine, I can access from any host with 192.168.1.x/23 or 192.168.0.x/23

KOM · Jun 18, 2014, 7:44 PM

Hmm, I believe that should work and give you a range of 192.168.0.1-192.168.1.254. The behaviour looks a lot like a subnet mismatch.

Just for laughs, what happens if you take one of the systems on 192.168.1.x that doesn't talk properly and change its subnet from 255.255.254.0 to 255.255.0.0? Can it talk now?

divsys · Jun 18, 2014, 9:13 PM

Just a guess on my part, but any chance you could have a (supposedly) smart switch in the mix that needs to be configured? ???

maxmouse · Jun 18, 2014, 9:56 PM

KOM

what happens if you take one of the systems on 192.168.1.x that doesn't talk properly and change its subnet from 255.255.254.0 to 255.255.0.0? Can it talk now?

Noupe, doesn't work.

divsys

smart switch in the mix that needs to be configured? ???

Well, I inherit three old smart switches, but they haven't any configurations and I can access them from any 192.168.1.x host.

What I'm going to do is a hard/factory reset each one, just in case, and I will let you know if something changed.

And just for the record attached a screen of the conf.

MindfulCoyote · Jun 18, 2014, 10:06 PM

@maxmouse:

Hi everyone, I need some help here.
I want use more host in my network, so I'm moving from /24 to /23, so far so good, except for one reason, I can't ping, trace or access my pfSense from half of my network. […] All the hosts in .1.0 can ping and use other servers in .0.0

Try rebooting before trying any further troubleshooting. It might be that pfSense hasn't updated the new netmask everywhere. (Diagnostics: Reboot)

If you still cannot ping pfSense at 192.168.0.1 from the 192.168.1.x/24 range, I would try looking at the logs to see if the firewall is blocking the packets. (Status: System logs: Firewall)

maxmouse · Jun 18, 2014, 10:51 PM

Thank you Coyote,

Try rebooting before trying any further troubleshooting. It might be that pfSense hasn't updated the new netmask everywhere. (Diagnostics: Reboot)

I already did a fresh install to avoid misconfigurations.

I would try looking at the logs to see if the firewall is blocking the packets. (Status: System logs: Firewall)

The logs says what is expected, pass. :-\

MindfulCoyote · Jun 18, 2014, 11:02 PM

@maxmouse:

The logs says what is expected, pass. :-\

Hmm. The default "Default allow LAN to any rule" rule should be silently passing that traffic. Could I trouble you to post the LAN firewall rules?

MindfulCoyote · Jun 19, 2014, 1:57 AM

@maxmouse:

I already did a fresh install to avoid misconfigurations.

Not to be too repetitious, but I would recommend another reboot. Changing a netmask can really mess up a network. I would reboot the router, pick a test client and reboot it, then try again.

dreamslacker · Jun 19, 2014, 11:31 AM

@maxmouse:

Well, I inherit three old smart switches, but they haven't any configurations and I can access them from any 192.168.1.x host.

What I'm going to do is a hard/factory reset each one, just in case, and I will let you know if something changed.

And just for the record attached a screen of the conf.

Have you tried this:

1) Verify that all the switches are configured for the correct subnet mask (where applicable).
2) Power off the switches and all connected devices (except those that are critical - servers etc).
3) Power on the switches first, then power on the machines.

Sometimes, switches don't update their look-up tables properly and a power cycle solves the issue.

maxmouse · Jun 19, 2014, 7:43 PM

Hello again guys,
No luck, can't believe it, I'm running out of options.

but I would recommend another reboot

Coyote, after reboot no change.

1) Verify that all the switches are configured for the correct subnet mask (where applicable).
2) Power off the switches and all connected devices (except those that are critical - servers etc).
3) Power on the switches first, then power on the machines.

dreamslacker
The switches are configured in the same netmask, I even did a hard/factory reset each and nothing! tried your steps and same, I even can get the swithces GUI from 192.168.1.x so I don't know.

Kind of frustrating, I'll try to isolate the hardware in a test lab with a standard switch and only one machine, to see what happens, but I can't do that now, because everybody is working right now and for now I haven't a backup.

maxmouse · Jun 19, 2014, 7:41 PM

Trying to find reasons,
The only thing I can find in my mind is, one of my provider gave me a router where my pfsense get its IP via DHCP and the range of that DHCP is 192.168.1.0/24. I only have a patch core connected directly to the pfSense it doesn't go to any switch so thats why I don't think that there is a problem, but at this point, I don't know.

MindfulCoyote · Jun 19, 2014, 8:09 PM

@maxmouse:

Trying to find reasons,
The only thing I can find in my mind is, one of my provider gave me a router where my pfsense get its IP via DHCP and the range of that DHCP is 192.168.1.0/24. I only have a patch core connected directly to the pfSense it doesn't go to any switch so thats why I don't think that there is a problem, but at this point, I don't know.

Ah Maxmouse. :) You didn't mention that before. ;)

pfSense has a number of places where it will adopt the DHCP netmask if not explicitly configured differently. Could you provide more topology detail so we can help you better? I'm not sure where the ISP router fits in. Are you saying your network looks like this:

Client Switch [LAN pfSense WAN ] ISP Router Internet
192.168.1.131/23 –> No IP? --> [192.168.0.1/23 192.168.1.x/24] –> 192.168.1.x/24 -->

(also, more screen shots are extremely helpful. Specifically all the interfaces and the LAN rules would really help me. It's ok to black out the first two octets (i.e. x.x.1.1/23) or generically change them if privacy is a concern.)

maxmouse · Jun 19, 2014, 9:05 PM

I never thought that would be a problem.

With the topic of my topology you're right what I got is:

Client Switch [LAN pfSense WAN ] ISP Router Internet
192.168.1.131/23 –> 192.168.0.41 --> [192.168.0.1/23 192.168.1.x/24] –> 192.168.1.1/24 -->

Now with the screens let me work in, you know how is it.

heper · Jun 19, 2014, 9:24 PM

your lan & wan have overlapping subnets. this CAN never work on any kind of router.

MindfulCoyote · Jun 19, 2014, 9:28 PM

@maxmouse:

Client Switch [LAN pfSense WAN ] ISP Router Internet
192.168.1.131/23 –> 192.168.0.41 --> [192.168.0.1/23 192.168.1.x/24] –> 192.168.1.1/24 -->

Ok, it appears that the primary issue here is the overlapping subnets created by expanding your netmask. I'm actually surprised this even works at all for the 192.168.1.x clients. It shouldn't. Ok one more question, do you have pfSense configured for bridging or routing? (If you aren't sure, take a look under Interfaces: (Assign): Bridges )

If not, here are my recommendations in order of preference:

A. If possible remove the ISP router from the network and connect pfSense directly in it's place. (This won't work unless your provider's handoff is ethernet and they allow direct connections.)

B. If the router cannot be removed, ask the provider if they can configure their router for bridged mode so that your pfsense has a routable public IP on it's WAN interface.

C. If the router can't be removed and they refuse to change it's configuration to bridged, then I highly recommend you renumber your internal network into a different subnet. Some options could be:
192.168.2.0/23
Your LAN IP would become 192.168.2.1/23 and your LAN hosts would be 192.168.2.2 through 192.168.3.254.

or 10.0.2.0/23
Your LAN IP would become 10.0.2.1/23 and your LAN hosts would be 10.0.2.2 through 10.0.3.254.

Any of those three options should solve your current problem completely.

maxmouse · Jun 19, 2014, 10:24 PM

Finally!
I want to thank you all for the help, as I said "I suspect is something dumb".
The solution was change the lan configurations of my ISP's router, fortunately wasn't hard to break its security, and now all is working.

Thank you all!