PFsense fails to reply to ARP request
-
Why do you think a switch can't handle the increase frame size? It's only with Ethertype/Length field used for length that it's an issue. With Ethernet II (DIX), there is no length field and the frame ends only when the data stops. This is what allows jumbo frames. However, jumbo frames are so much larger that hardware has to be built to handle it. Standard Ethernet II frames can handle 1536 bytes, with IP MTU limited to 1500, so there's plenty of space for the VLAN header or even 2 at 4 bytes per header.. If a switch can properly handle Ethernet II, it can handle VLAN & IP and IP is normally carried on Ethernet II.
Incidentally, over the years, I've often challenged "common knowledge" and found that it's not entirely accurate. This is one example, where people make assumptions based on this common knowledge. While they're generally true, they're not absolutely true. I try to verify this through experiment, if possible. You can do the same with an un-managed switch, Wireshark and a couple of computers running Linux. Give it a try and see what turns up. Try again with a managed switch and trunk ports. You can also learn a lot by getting into the details of the protocols to see where limits may or may not exist. One example of this is the length field in 802.3 vs type field in Ethernet II. It is that length field that's the origin of the 1500 MTU limit, even though IP doesn't normally use 802.3. In comparison, other network types, such as token ring or WiFi have a much larger MTU. In fact the maximum IP MTU is 65K and even that's exceeded in some circumstances with "Jumbograms".
https://en.wikipedia.org/wiki/Jumbogram
Bottom line, don't take "common knowledge" as absolute. It isn't.
-
Thank you very much for the education. I hadn't learned anything new today.
I have seen it both work and not work. I have seen bridge devices both properly pass 1q and not. Like I said, if all those conditions are true, you can use one.
-
This discussion provides much useful information to me, thank you guys.
I setup a test lab to match the production environment. The only thing different is the switch (a 8 port 100mbit tplink switch instead of a 24 port tp link gigabit switch)
Funny thing is, that when I capture on the LAN (non tagged) interface while querying a nameserver on the guest network, no traffic is captured from the guest network.
Also, I cant reach the regular LAN from withitn the guest lan. Even when I change my IP to something in the LAN range / subnet. This conflicts with some posts here. Can somebody tell me what is supposed to happen?
I
m also wondering how you guys would setup a network with 2 wifi guest networks and one lan wifi network. I use Engenius accesspoints and bind the SSIDs to the VLAN tags. What is the preferred way of setting this up? -
Ok, weird things are going on here. Yesterday I removed all VLAN`s and guestnetworks, because I wanted to fix the intermittent downtime.
Today, we experienced the same issues. We only have one LAN now. I made a capture again during the outage. https://www.cloudshark.org/captures/66c61a1e0b60
Where should I be looking for? Could the PFsense box have a hardware issue?
-
Same issues?? I see a bunch of syn going to different IPs via https, and those not getting any sort of answer so client sends a retrans. And yeah seeing lots of arps for 192.168.1.254 and not seeing any answers
What exactly is your pfsense running on, and with what nic. I see dest to 00:dd:2a:e8:31:02 which you had stated was the mac of pfsense. But this 00:dd:2a does not seem to be owned/registered by anyone.. I have tried multiple databases, wiresharks lookup, https://macvendors.com/ etc..
If your using some cheap ass nic then I would look to that being a problem..
"I`m also wondering how you guys would setup a network with 2 wifi guest networks and one lan wifi network"
As to how I would set that up. Well you would tag the SSIDs you want as guest, and just use a native untagged network for the lan. Or you could tag all 3 if you wanted. Your switch port connection to your AP(s) would be trunked with the vlans you want to allow, ie the ones your using as guest and native vlan set for your non tagged ssid if your going that route. The port that connects to pfsense would be the same setting trunked with the specific vlans allowed and native vlan set if using native vlan.
As to the switch config - in what possible scenario would you set a switch to all trunked ports with all vlans allowed? Does not matter if the switch doesn't strip the tags or not. It is not the way to do it.. be it you think its not common knowledge or not that dumb switches don't strip tags. That has NOTHING to do with it.. The problem is the dumb switch doesn't freaking isolate the traffic.. Your running multiple layer 3 networks over the same layer 2 in this scenario.. And that is just borked plain and simple! You use a smart/managed switch so you can create the multiple layer 2 networks on the 1 piece of hardware.
Does not matter if running multiple layer 3s over the same layer 2 "can" sometimes work – why would anyone with any networking experience all ever do such a thing??? That your doing it or even suggesting it there is nothing wrong with it is just mind numbing!!
-
Same issues as in evrything is unreachable from within the LAN interface. The hardware has 6 Intel 1GBE lan ports. Strange it doesnt show up in the MAC databases. If this a hardware issues, it would be a first (in 20 deployments).
I will swap the hardware this week and report back.
Thanks for your input on how to setup the guest networks. I will build a test lab and fiddle around with it.
-
"The hardware has 6 Intel 1GBE lan ports."
What is the hardware? What are the nics that provide the ports?
That is not a intel mac.. You can lookup all the mac for intel, that is not listed for intel.
-
I replaced the router with one that I pulled out in a working state.
Today they had the same issue. For some reason , it always happens after office hours. If it happens I always get a call from the first one to be at the office that the 'internet' is not working.
I just investigated the logs. The firewall log shows that at 07:39 , devices fail to obtain an IP address. on 7:33 there is some IPv6 traffic, which I can not pinpoint (as I disabled ipv6)
What can you make out of the log file?
Could any external factor cause this behaviour?
-
"The hardware has 6 Intel 1GBE lan ports."
What is the hardware? What are the nics that provide the ports?
That is not a intel mac.. You can lookup all the mac for intel, that is not listed for intel.
When I installed Windows on this box, they identified themselves as Intel nic
s, and installed an Intel driver. Im not sure why the MAC seems to be unregistrered. -
You are seeing traffic from link-local addresses (169.254.0.0/16). Looks like clients are failing to get DHCP on LAN for some reason. Hard to tell from that. What's in the DHCP logs?
