Pfsense 2.0.1 - PC can only browse web with a dynamic DHCP IP (not static lease)
-
I encountered a strange issue with pfsense 2.0.1-release.
1.) if I allow PC with MAC addr 1234 to obtain a DHCP address of 192.168.0.200 from my range 192.168.0.200-254 the machine can ping and browse internet
2.) if I register the same PC MAC addr 1234 with a static lease of 192.168.0.100, the PC will be assigned this IP, but has no internet accessThis behavior is consistent. However all other PCs with static leases do not exhibit these symptoms.
Does the DHCP table become corrupt? Is there any way to reset the table so that I can clear any history associated with 192.168.0.100 static leases?
-
Maybe you have multiple machines with IP address 192.168.0.100.
Maybe you have a firewall rule blocking 192.168.0.100 or IP subnet containing 192.168.0.100.
Maybe 192.168.0.100 is not on the same IP subnet as the upstream pfSense interface.
My home network has a mixture of systems with dynamic DHCP IP addresses (some address out of a pool) and systems with static DHCP IP addresses (always get the same IP address from DHCP depending on the MAC address) and I have not seen this problem.
-
Maybe you have multiple machines with IP address 192.168.0.100.
Maybe you have a firewall rule blocking 192.168.0.100 or IP subnet containing 192.168.0.100.
Maybe 192.168.0.100 is not on the same IP subnet as the upstream pfSense interface.
My home network has a mixture of systems with dynamic DHCP IP addresses (some address out of a pool) and systems with static DHCP IP addresses (always get the same IP address from DHCP depending on the MAC address) and I have not seen this problem.
wallabybob - that's the strange part. None of the above conditions apply. And it's not showing as 192.168.0.100 being in use by any machine. Is there any way in pfsense to manually edit a DHCP table? perhaps that has become corrupt somehow?
Also, when I assign a static IP of 192.168.0.100 to MAC Addr 12345 in the previous example, I can connect INTO the machine without any issue. So it is responding to requests on 192.168.0.100. however no traffic originiating from 192.16.0.100 makes it out to the internet. -
how do you think the dhcp table has to do with anything?? That is not part of the firewall rule. What is the mask on your lan network? the lan firewall rule default to lan net, if your using something other than say 192.168.0.100/24 then its possible your outside your lan net and lan rule would block access.
What if you use .99 instead of .100 does that work on that one with mac 12345? Or what about .199?
The dhcp table even if corrupted beyond reading would have nothing to do with your machine talking to pfsense. the dhcp table is used for the dhcpd to maintain its list of leases - nothing more. Has nothing to do with the firewall or network of pfsense.
Unless your doing something with static arp?
Only the machines listed below will be able to communicate with the firewall on this NIC. -
And it's not showing as 192.168.0.100 being in use by any machine.
What is not showing 192.168.0.100 in use by any machine?
And how are you looking?
Is there any way in pfsense to manually edit a DHCP table?
Edit change what?
Also, when I assign a static IP of 192.168.0.100 to MAC Addr 12345 in the previous example, I can connect INTO the machine without any issue.
Connect by what - ping? ssh? telnet? web browser? etc? From where?
So it is responding to requests on 192.168.0.100. however no traffic originiating from 192.16.0.100 makes it out to the internet.
How did you determine that? Would it be more accurate to say there is no evidence of returning traffic? What sort of traffic and to where in particular? (Not every internet host responds to pings.)
-
To determine whether another PC is using LAN IP 192.168.0.100, I'm looking under STATUS > DHCP LEASES.
Wasn't sure whether there was a config file that might have additional detail about DHCP static assignments beyond what is displayed in the UI. Thought perhaps the data might have become corrupted.
I am able to connect into 192.168.0.100 using \192.168.0.100 to browse file shares and Win RDP for example.
As for 192.168.0.100 not communicating outbound, I simple use ping to www.google.com as a test. Or launch a browser on the 192.168.0.100 PC and attempt to access any web site. Not outbound traffic is being permitted.
Thanks for your help.
-
and did you try setting it to .99 or .199 or 143?
Also again dhcp has NOTHING to do with anything unless you clicked on static arp? Which can be used to block access to pfsense.
-
and did you try setting it to .99 or .199 or 143?
Also again dhcp has NOTHING to do with anything unless you clicked on static arp? Which can be used to block access to pfsense.
Now that you mention it, when I change the same PC to a static 192.168.0.99, .199 or .143, it works without issue. Only .100 results in the inability to access the internet from the PC.
Also, I am not using static ARP.
-
So what are your lan rules?
So I would have to assume you have some firewall blocking .100 or you got some issue with duplicate IP? When you say pfsense can reach .100 – can it still reach it when you change this pc .99?
-
So what are your lan rules?
So I would have to assume you have some firewall blocking .100 or you got some issue with duplicate IP? When you say pfsense can reach .100 – can it still reach it when you change this pc .99?
johnpoz, yes, I can still RDP to the machine once it is set to 192.168.0.99. In fact, it appears that if I assign ANY PC on my LAN a static IP of 192.168.0.100, that PC is unable to access the internet (ping, web, etc.). Since this box is a server, I'm particular about it having a static IP of 192.168.0.100.
My LAN rules are as shown.
http://postimage.org/image/a6q8rbdvt/ -
Since this box is a server, I'm particular about it having a static IP of 192.168.0.100.
Could it be that you have AoN rules or 1:1 NAT for this particular IP?
I often define my own AoN rules for servers to do some source NAT for VPN stuff. -
You misunderstood the question - when you change this machine .99, can you still talk to a .100 ?
What is the point the echo rule? Dest is the lan net? That rule would never be used.
-
I encountered a strange issue with pfsense 2.0.1-release.
I encountered a similar problem earlier. Did you try to remove all unneccessary rules and reboot the firewall(s)?
Do you have several routers/gateways on the same network?
Do you have several different dhcp servers on the lan?
We had a test pc running Win XP and finally had to give up; it seems Win XP "does something wrong" (not following standards/protocols correctly probably), When we connected a test-computer running Mac OS X everything worked fine.Cheers,
/E -
I encountered a strange issue with pfsense 2.0.1-release.
I encountered a similar problem earlier. Did you try to remove all unneccessary rules and reboot the firewall(s)?
Do you have several routers/gateways on the same network?
Do you have several different dhcp servers on the lan?
We had a test pc running Win XP and finally had to give up; it seems Win XP "does something wrong" (not following standards/protocols correctly probably), When we connected a test-computer running Mac OS X everything worked fine.Cheers,
/EWindows XP does not do anything wrong. There is something wrong with your configuration somewhere.
-
it seems Win XP "does something wrong" (not following standards/protocols correctly probably), When we connected a test-computer running Mac OS X everything worked fine.
Not going to say that MS does everything by the RFC's - but come on XP at one point was what 80+ % something of the market share for OSes.. You can find this sort of info at http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10
It currently shows still having 35% of the market – that is still a shit load of computers. If it was doing something wrong that broke networks or didn't work with devices, etc. It would be a pretty big issue and would of never gotten any significant share of the market.
