Can't access Chromecast or ping other hosts on subnet, UPnP or client isolation?
-
Hey everyone,
My pfSense router has been working great since I got it all installed and configured earlier this week! I'm still learning and getting familiar with it, but my roommates and I are running into a few issues that I believe may be related.
-
Can't see Chromecast on the network (though it's in pfSense's ARP table) and can't see Chromecasts' SSID that it usually broadcasts
-
Can't connect to online matches on Mario Kart for Wii U
I saw this thread about Mario Kart issues (https://forum.pfsense.org/index.php?topic=77943.0) and also this thread about Chromecast issues (https://forum.pfsense.org/index.php?topic=65559.15) and both seem to reference UPnP. I enabled UPnP and checked the Allow UPnP Port Mapping and Allow NAT-PMP Port Mapping options, but still not seeing the Chromecast (haven't tried Mario Kart yet since, but I'm hoping that fixed the issues there).
The other thing I saw on the Chromecast thread was something about client isolation. It sounds like if I can't ping other hosts on my subnet (all hosts are on the same subnet, I have modem –WAN--> pfSense router --LAN--> Netgear R7000 [wireless AP mode, stock firmware]) then client isolation may be enabled on the wireless AP, though I don't see that option anywhere in the web GUI, I just have the built in Enable AP Mode box checked off getting IP address settings dynamically from the pfSense box.
Any recommendations or hints from anyone out there with similar issues? The only thing I can think of trying next is flashing Kong's 24500M DD-WRT firmware to my R7000 and ensuring that client isolation is not enabled and then turning off DHCP and whatever else I need to disable in order to have the R7000 act as a wireless AP only.
-
-
Is everything wireless? Can you ping between any two wireless devices?
Do you only have the LAN internal interface in pfSense?The r7000 appears to have client isolation enabled by default for the guest wireless network.
Steve
-
Everything is wireless except two devices which aren't relevant to this problem. I cannot ping between any two wireless devices. I tried running the Fing Network Scanner app on my iPhone and all it saw was the pfSense router, the wireless AP, and the two devices plugged into the wireless AP via Ethernet, none of the other roughly 15 devices wirelessly connected to that same AP.
I only have two interfaces on the pfSense configured as described before, the gigabit Ethernet WAN interface connected to the modem and the gigabit Ethernet LAN interface connected to the wireless AP.
-
"The r7000 appears to have client isolation enabled by default for the guest wireless network."
MarkVLK your using the Guest network?? Why? From the netgear faq
http://kb.netgear.com/app/answers/detail/a_id/23794
Is there any wireless isolation settings on this model?
Wireless isolation is no longer an option on the R7000.You should be connecting to some normal network you setup and using wpa2 psk.. Not an open guest network - I would assume as well that a guest network has isolation enabled all the time. Should even be able to disable it.. Why would guests need to talk to each other? That is bad security practice to have a guest network without isolation.
-
I'm not using the open guest network, I'm using the WPA2 network I configured before switching the R7000 from a wireless router to just a wireless AP.
-
Well according to the FAQ they don't have isolation as an option..
Here's the thing
"Can't see Chromecast on the network (though it's in pfSense's ARP table)"What does it matter if pfsense has it in its arp table? What about your clients arp table that is looking for it?
"can't see Chromecasts' SSID that it usually broadcasts"
That would have nothing to do with your router or pfsense - if your not seeing that, that would be on your client side or chromecast being broken and not broadcasting it. Chromecast will broadcast that network for setup or when it can not connect to the network it was setup for.
Here is the thing if you have a router setup as AP.. pfsense has nothing to with that other than being a connection off that network. Its a client on that network just like the rest of you - except its wired too it. Clients of that wireless network not talking to each other have nothing to do with pfsense. You not seeing a device broadcast an SSID has NOTHING to do with pfsense. You sure your listening on 2.4 for the chromecast ssid. Turn off your wireless AP so that chromecast can not connect to its network.. And you should see it broadcast its SSID for setup.
Now might seem odd – but you sure your on your network! I have seen it so many times its not even funny.. John can not print but can ping it.. Well thats because your connected to the linksys ssid across the street, not your linksys -- and they just happen to have a device with the IP you use for your printer ;) What did I tell you about using an unique SSID, broadcasting it and securing it ;)
If you have say 2 laptops on your wireless network. Try and ping them - do you see their mac in your clients arp table?
arp -a
Do you see their mac, and no ping - you sure they don't have it blocked on software firewall. This would be my guess.
More than happy to help you troubleshoot your problem - but this has nothing to do with pfsense at ALL.. Turn pfsense off - can your clients connected to your wireless clients ping each other ;) Unless your using pfsense to route between segments.. Do you have wired and wireless segments or 2 wireless networks? 192.168.1.0/24 say is your wired and your wireless network on different interface on pfsense on say 192.168.2.0/24 ?
-
Yes, exactly. Traffic between two wireless clients should travel to the access point and back out again, not through pfSense. It's being blocked at the the access point.
I suggested you might be using the guest network because, reading the manual, it only lists client isolation for the guest network. Your symptoms exactly match this. There may well be some advanced features not detailed in the manual. If not the R7000 has a load of other firewall features which could get in the way, QoS various port/protocol filtering for example.Steve
-
I appreciate your guys' help even if it isn't directly pfSense-related. I'm trying to get you guys all the details I've got!
Well according to the FAQ they don't have isolation as an option..
Which FAQ are you referring to? This page (http://kb.netgear.com/app/answers/detail/a_id/24095/~/how-do-i-specify-the-basic-wireless-settings-on-my-nighthawk-r7000-router%3F) shows that the R7000 does have a Wireless Isolation setting.
What does it matter if pfsense has it in its arp table? What about your clients arp table that is looking for it?
If you have say 2 laptops on your wireless network. Try and ping them - do you see their mac in your clients arp table?
I ran the "arp -a" commands on my desktop and my laptop and, interestingly enough, both of them only see the pfSense router, the wireless AP (R7000), and each other (laptop sees desktop and vice versa). The only thing I changed on my desktop is that I noticed Windows had configured my wireless network as "public" so I changed it to "home." I am able to ping my laptop from my desktop and vice versa and can also ping the other devices seen in the ARP table. Now on my iPhone when I use the Fing Network Scanner app, it sees the pfSense router, the wireless AP, my desktop, my laptop, and a device that's plugged in via Ethernet to the wireless AP. The iPhone can ping all of these devices that it sees.
I think I will try doing a factory reset on the Chromecast and see if I can set it up again, but I'd still like to figure out why most of the devices on the network (there's 22 at the moment) can't see one another. My only idea right now is that the wireless AP does indeed have client isolation turned on, I assume it has nothing to do with the transparent Squid proxy I have running on the router.
Now might seem odd – but you sure your on your network!
I'm definitely on my network, we have a very unique SSID and it's secured with WPA2.
Do you have wired and wireless segments or 2 wireless networks? 192.168.1.0/24 say is your wired and your wireless network on different interface on pfsense on say 192.168.2.0/24 ?
I just have 1 wireless network, no wired segment, just the two devices plugged into the wireless AP. All devices are on 192.168.1.0/24.
I suggested you might be using the guest network because, reading the manual, it only lists client isolation for the guest network.
Here you can see the guest network is not enabled.
Also, the 4 devices the wireless AP says it see are my laptop, my desktop, my phone, and the device plugged in via Ethernet. -
"7. To allow computers or wireless devices that join the network to use the Internet but not to access each other or access Ethernet devices on the network, select the Enable Wireless Isolation check box."
And is that check under your basic wireless?
I gave you link to the FAQ I quoted
http://kb.netgear.com/app/answers/detail/a_id/23794They are clearly in contraindication - so do you have that checked or not. Do you have that box or not to even check or not check?
"I assume it has nothing to do with the transparent Squid proxy I have running on the router."
Yes you assume correctly - Pfsense has NOTHING to do with what your wireless clients do with each other, nothing!! You can turn pfsense off if you want - pfsense is just your gateway off the network.. Your connection to that network is via your wireless accesspoint.
And yes your software firewall needs to be in home or private - public would block everything. And you might even want to double check that your allowing ping in the firewall - your not running any 3rd party antivirus or security software that might be running firewall as well?
Ping an IP address of one of your wireless devices from another wireless device - does it now show up in your arp table?
-
Ah thanks for the link, sorry I didn't see it in your previous post.
They are clearly in contraindication - so do you have that checked or not. Do you have that box or not to even check or not check?
Yeah definitely some contradiction there, one of them must be outdated. Here's the funny part, I don't see that as an option in the GUI, but when I search the source, I see this:
Enable Wireless Isolation
-->
Commented out code that allows that option, but looks like the default value was to enable it? Before I had the pfSense router setup and was just using the R7000 as a wireless router, the Chromecast was visible to all so it must not have been enabled, but now that I have the Wireless AP mode enabled, nobody can see it. Either way, if isolation used to be an option but isn't now, that means to me that the router is capable of enabling it, they just don't make it an option to the end user anymore. I'm tempted to try dynamically un-commenting the code in Chrome, un-checking the isolation option, saving the changes to see if that does anything but I don't want to mess up the router if that does something weird with the newest firmware running on it.Yes you assume correctly - Pfsense has NOTHING to do with what your wireless clients do with each other, nothing!!
Point taken haha, so I know that it's something to do with the R7000 for sure.
And you might even want to double check that your allowing ping in the firewall - your not running any 3rd party antivirus or security software that might be running firewall as well?
Nah I don't have any 3rd party software installed on my desktop, just the stock Windows stuff.
Ping an IP address of one of your wireless devices from another wireless device - does it now show up in your arp table?
My desktop, laptop, phone, and tablet are all connected wirelessly and can ping each other now interestingly enough (I mentioned in previous post that desktop, laptop, and phone could ping one another and they showed up in each other's ARP tables, just found out that tablet appears now, also using Fing app).
-
your normally not going to see anything in the arp table unless you try and talk to its IP, so that an arp goes out and gets an answer.
Try running a scan from say your desktop for your network and the you should see every clients mac. Even if they don't answer because of firewall - if they saw the arp, they normally will always answer..
-
Interesting, the manual I read don't mention client isolation for the main access point either. From the FAQ wording perhaps it's a feature that has changed with a firmware version. Anyway you clearly don't have it enabled if your iphone can see other wireless devices.
The fact that Windows (on your laptop?) changed the wireless network type to public could be a clue here. That usually only happens when the MAC address of the access point it's connecting to changes. Perhaps when you put the router into access point mode it uses a different MAC? If so that might also have implications for the Chromecast. From a security stand point it might assume a rogue access point is spoofing your SSID and not allow that network to connect for example.Steve
-
Sorry it took me so long to get back to you guys.
your normally not going to see anything in the arp table unless you try and talk to its IP, so that an arp goes out and gets an answer.
Yeah, on my Windows desktop I ran the "arp -a" command and all I saw was the router, wireless AP, and device plugged into AP via Ethernet but then I used the Fing network scanner app on my iPhone while running Wireshark on my desktop and saw the phone ask the whole 192.168.1.1/24 subnet who had each IP. My phone only discovered the router, wireless AP, wired device, and my desktop but after that my phone's IP was in my desktop's ARP table.
I'm not really sure why my desktop is the only wireless device to respond. My tablet is on and connected to the network (and I'm sure all of my roommate's phones & tablets are as well) but none of them are seen by my phone. Also, when I ran the Fing network scanner app on my tablet, it saw my desktop and the other devices my phone saw, but didn't see my phone.
Perhaps when you put the router into access point mode it uses a different MAC? If so that might also have implications for the Chromecast.
This is possible, I'm not sure though. However, the fact that all our devices could see our Chromecast before I switched the R7000 from router mode to wireless AP mode and now none of the devices can see it make it seem like this is certainly a possibility. I was going to flash DD-WRT to the R7000 and see if I could just ensure client isolation is turned off in there but I've been reading the forums recently and seems like the current version of DD-WRT for the R7000 isn't very stable at the moment :-\
My roommates are getting pretty frustrated that they can't use the Chromecast anymore so I wish I could figure out a way around it now, please if you guys have any other suggestions for me let me know!
Thanks for all your help.
-
I'm not familiar with that Wireless Router but Wireless Isolation has to be disabled for Chromecast to work. I have one and I'm pretty sure its not a pfSense issue…
I'm running dd-wrt on my Wireless Router in AP mode... They work great with my Chromecast so far.My chance, can you ping the CC from a wired PC/Laptop?
-
I don't know what it has to do with Wireless Isolation, but disabling Access Control on the R7000 allowed me to get my Chromecast to work again.
An other solution is to enable the option "Allow guests to see each other and access my local network" in the "Guest Network Setup", it also fixed my problem (even if the guest network is disabled).
Both solutions got my Chromecast device to work again.
Hope it will help.
-
I don't know what it has to do with Wireless Isolation, but disabling Access Control on the R7000 allowed me to get my Chromecast to work again.
I never enabled access control on my R7000 via Advanced -> Security -> Access Control so that must not be my issue :-\
An other solution is to enable the option "Allow guests to see each other and access my local network" in the "Guest Network Setup", it also fixed my problem (even if the guest network is disabled).
I see that option is checked on both 2.4 and 5 GHz radios, but grayed out as well, presumably because the guest network is not enabled.
Has anyone else had this issue with their Chromecast? For the time being, I've installed DD-WRT on my roommate's really old Belkin wireless router and attached that as an AP to my R7000 via Ethernet and I have the Chromecast connected to that and that's mostly working, though my roommates all say they have intermittent issues with this e.g. their phone or tablet randomly disconnects from Chromecast, playback randomly stops or won't continue smoothly between episodes in a queue, their devices can't see the Chromecast on the network unless they use the app Fing to scan the network, etc.
It's very frustrating, curious what could possibly be different in my setup. Wondering if it's in any way related to firewall settings or DHCP/DNS settings.
-
If, as the previos poster implied, the guest network settings are affecting the main wifi have you tried enabling the guest wifi and then disabling client isolation?
Steve
-
If, as the previos poster implied, the guest network settings are affecting the main wifi have you tried enabling the guest wifi and then disabling client isolation?
Steve
Maybe the way I responded wasn't very clear, but here's what I see:
Seems as though client isolation is already disabled, I could try enabling then disabling the guest network just to see if that does anything, but I've never touched any of these settings, they've always been default.
-
You might try as well, It might as well be a bug of a policy applied uncorrectly following an upgrade of the firmware.
Changing this settings seemed to have fixed that on my side.
-
You might try as well, It might as well be a bug of a policy applied uncorrectly following an upgrade of the firmware.
Changing this settings seemed to have fixed that on my side.
I'll give it a shot tomorrow, I just updated the firmware an hour or so ago, will see if that has changed anything tomorrow after work. If not, I'll enable the guest network and try it, then disable the guest network and try it again.
