Can't access Chromecast or ping other hosts on subnet, UPnP or client isolation?
-
Yes, exactly. Traffic between two wireless clients should travel to the access point and back out again, not through pfSense. It's being blocked at the the access point.
I suggested you might be using the guest network because, reading the manual, it only lists client isolation for the guest network. Your symptoms exactly match this. There may well be some advanced features not detailed in the manual. If not the R7000 has a load of other firewall features which could get in the way, QoS various port/protocol filtering for example.Steve
-
I appreciate your guys' help even if it isn't directly pfSense-related. I'm trying to get you guys all the details I've got!
Well according to the FAQ they don't have isolation as an option..
Which FAQ are you referring to? This page (http://kb.netgear.com/app/answers/detail/a_id/24095/~/how-do-i-specify-the-basic-wireless-settings-on-my-nighthawk-r7000-router%3F) shows that the R7000 does have a Wireless Isolation setting.
What does it matter if pfsense has it in its arp table? What about your clients arp table that is looking for it?
If you have say 2 laptops on your wireless network. Try and ping them - do you see their mac in your clients arp table?
I ran the "arp -a" commands on my desktop and my laptop and, interestingly enough, both of them only see the pfSense router, the wireless AP (R7000), and each other (laptop sees desktop and vice versa). The only thing I changed on my desktop is that I noticed Windows had configured my wireless network as "public" so I changed it to "home." I am able to ping my laptop from my desktop and vice versa and can also ping the other devices seen in the ARP table. Now on my iPhone when I use the Fing Network Scanner app, it sees the pfSense router, the wireless AP, my desktop, my laptop, and a device that's plugged in via Ethernet to the wireless AP. The iPhone can ping all of these devices that it sees.
I think I will try doing a factory reset on the Chromecast and see if I can set it up again, but I'd still like to figure out why most of the devices on the network (there's 22 at the moment) can't see one another. My only idea right now is that the wireless AP does indeed have client isolation turned on, I assume it has nothing to do with the transparent Squid proxy I have running on the router.
Now might seem odd – but you sure your on your network!
I'm definitely on my network, we have a very unique SSID and it's secured with WPA2.
Do you have wired and wireless segments or 2 wireless networks? 192.168.1.0/24 say is your wired and your wireless network on different interface on pfsense on say 192.168.2.0/24 ?
I just have 1 wireless network, no wired segment, just the two devices plugged into the wireless AP. All devices are on 192.168.1.0/24.
I suggested you might be using the guest network because, reading the manual, it only lists client isolation for the guest network.
Here you can see the guest network is not enabled.
Also, the 4 devices the wireless AP says it see are my laptop, my desktop, my phone, and the device plugged in via Ethernet. -
"7. To allow computers or wireless devices that join the network to use the Internet but not to access each other or access Ethernet devices on the network, select the Enable Wireless Isolation check box."
And is that check under your basic wireless?
I gave you link to the FAQ I quoted
http://kb.netgear.com/app/answers/detail/a_id/23794They are clearly in contraindication - so do you have that checked or not. Do you have that box or not to even check or not check?
"I assume it has nothing to do with the transparent Squid proxy I have running on the router."
Yes you assume correctly - Pfsense has NOTHING to do with what your wireless clients do with each other, nothing!! You can turn pfsense off if you want - pfsense is just your gateway off the network.. Your connection to that network is via your wireless accesspoint.
And yes your software firewall needs to be in home or private - public would block everything. And you might even want to double check that your allowing ping in the firewall - your not running any 3rd party antivirus or security software that might be running firewall as well?
Ping an IP address of one of your wireless devices from another wireless device - does it now show up in your arp table?
-
Ah thanks for the link, sorry I didn't see it in your previous post.
They are clearly in contraindication - so do you have that checked or not. Do you have that box or not to even check or not check?
Yeah definitely some contradiction there, one of them must be outdated. Here's the funny part, I don't see that as an option in the GUI, but when I search the source, I see this:
Enable Wireless Isolation
-->
Commented out code that allows that option, but looks like the default value was to enable it? Before I had the pfSense router setup and was just using the R7000 as a wireless router, the Chromecast was visible to all so it must not have been enabled, but now that I have the Wireless AP mode enabled, nobody can see it. Either way, if isolation used to be an option but isn't now, that means to me that the router is capable of enabling it, they just don't make it an option to the end user anymore. I'm tempted to try dynamically un-commenting the code in Chrome, un-checking the isolation option, saving the changes to see if that does anything but I don't want to mess up the router if that does something weird with the newest firmware running on it.Yes you assume correctly - Pfsense has NOTHING to do with what your wireless clients do with each other, nothing!!
Point taken haha, so I know that it's something to do with the R7000 for sure.
And you might even want to double check that your allowing ping in the firewall - your not running any 3rd party antivirus or security software that might be running firewall as well?
Nah I don't have any 3rd party software installed on my desktop, just the stock Windows stuff.
Ping an IP address of one of your wireless devices from another wireless device - does it now show up in your arp table?
My desktop, laptop, phone, and tablet are all connected wirelessly and can ping each other now interestingly enough (I mentioned in previous post that desktop, laptop, and phone could ping one another and they showed up in each other's ARP tables, just found out that tablet appears now, also using Fing app).
-
your normally not going to see anything in the arp table unless you try and talk to its IP, so that an arp goes out and gets an answer.
Try running a scan from say your desktop for your network and the you should see every clients mac. Even if they don't answer because of firewall - if they saw the arp, they normally will always answer..
-
Interesting, the manual I read don't mention client isolation for the main access point either. From the FAQ wording perhaps it's a feature that has changed with a firmware version. Anyway you clearly don't have it enabled if your iphone can see other wireless devices.
The fact that Windows (on your laptop?) changed the wireless network type to public could be a clue here. That usually only happens when the MAC address of the access point it's connecting to changes. Perhaps when you put the router into access point mode it uses a different MAC? If so that might also have implications for the Chromecast. From a security stand point it might assume a rogue access point is spoofing your SSID and not allow that network to connect for example.Steve
-
Sorry it took me so long to get back to you guys.
your normally not going to see anything in the arp table unless you try and talk to its IP, so that an arp goes out and gets an answer.
Yeah, on my Windows desktop I ran the "arp -a" command and all I saw was the router, wireless AP, and device plugged into AP via Ethernet but then I used the Fing network scanner app on my iPhone while running Wireshark on my desktop and saw the phone ask the whole 192.168.1.1/24 subnet who had each IP. My phone only discovered the router, wireless AP, wired device, and my desktop but after that my phone's IP was in my desktop's ARP table.
I'm not really sure why my desktop is the only wireless device to respond. My tablet is on and connected to the network (and I'm sure all of my roommate's phones & tablets are as well) but none of them are seen by my phone. Also, when I ran the Fing network scanner app on my tablet, it saw my desktop and the other devices my phone saw, but didn't see my phone.
Perhaps when you put the router into access point mode it uses a different MAC? If so that might also have implications for the Chromecast.
This is possible, I'm not sure though. However, the fact that all our devices could see our Chromecast before I switched the R7000 from router mode to wireless AP mode and now none of the devices can see it make it seem like this is certainly a possibility. I was going to flash DD-WRT to the R7000 and see if I could just ensure client isolation is turned off in there but I've been reading the forums recently and seems like the current version of DD-WRT for the R7000 isn't very stable at the moment :-\
My roommates are getting pretty frustrated that they can't use the Chromecast anymore so I wish I could figure out a way around it now, please if you guys have any other suggestions for me let me know!
Thanks for all your help.
-
I'm not familiar with that Wireless Router but Wireless Isolation has to be disabled for Chromecast to work. I have one and I'm pretty sure its not a pfSense issue…
I'm running dd-wrt on my Wireless Router in AP mode... They work great with my Chromecast so far.My chance, can you ping the CC from a wired PC/Laptop?
-
I don't know what it has to do with Wireless Isolation, but disabling Access Control on the R7000 allowed me to get my Chromecast to work again.
An other solution is to enable the option "Allow guests to see each other and access my local network" in the "Guest Network Setup", it also fixed my problem (even if the guest network is disabled).
Both solutions got my Chromecast device to work again.
Hope it will help.
-
I don't know what it has to do with Wireless Isolation, but disabling Access Control on the R7000 allowed me to get my Chromecast to work again.
I never enabled access control on my R7000 via Advanced -> Security -> Access Control so that must not be my issue :-\
An other solution is to enable the option "Allow guests to see each other and access my local network" in the "Guest Network Setup", it also fixed my problem (even if the guest network is disabled).
I see that option is checked on both 2.4 and 5 GHz radios, but grayed out as well, presumably because the guest network is not enabled.
Has anyone else had this issue with their Chromecast? For the time being, I've installed DD-WRT on my roommate's really old Belkin wireless router and attached that as an AP to my R7000 via Ethernet and I have the Chromecast connected to that and that's mostly working, though my roommates all say they have intermittent issues with this e.g. their phone or tablet randomly disconnects from Chromecast, playback randomly stops or won't continue smoothly between episodes in a queue, their devices can't see the Chromecast on the network unless they use the app Fing to scan the network, etc.
It's very frustrating, curious what could possibly be different in my setup. Wondering if it's in any way related to firewall settings or DHCP/DNS settings.
-
If, as the previos poster implied, the guest network settings are affecting the main wifi have you tried enabling the guest wifi and then disabling client isolation?
Steve
-
If, as the previos poster implied, the guest network settings are affecting the main wifi have you tried enabling the guest wifi and then disabling client isolation?
Steve
Maybe the way I responded wasn't very clear, but here's what I see:
Seems as though client isolation is already disabled, I could try enabling then disabling the guest network just to see if that does anything, but I've never touched any of these settings, they've always been default.
-
You might try as well, It might as well be a bug of a policy applied uncorrectly following an upgrade of the firmware.
Changing this settings seemed to have fixed that on my side.
-
You might try as well, It might as well be a bug of a policy applied uncorrectly following an upgrade of the firmware.
Changing this settings seemed to have fixed that on my side.
I'll give it a shot tomorrow, I just updated the firmware an hour or so ago, will see if that has changed anything tomorrow after work. If not, I'll enable the guest network and try it, then disable the guest network and try it again.
