Strange issue - can't ping AP from LAN pc (but can ping client on AP?)
-
New pfsense interface is setup for a wifi AP. [This is an old wifi router with the new pfsense interface plugged into a LAN interface of the AP/wifi router.]
Existing interface is my pfsense LAN. There are no connectivity problems for any devices that I've noticed other than the problem below.The issue is: I CAN ping between CLIENTS on each respective network; e.g., pc (LAN) to phone (AP), phone (AP) to pc (LAN). I can access the AP from the phone.
However I cannot ping the AP from a pc on the LAN. I have tried a static IP, multi-homed setup [Windows], no dice.From the pfsense Diagnostics / ping:
-I CANNOT ping the AP - from LAN interface to AP IP.
-I CAN ping a phone on the AP wifi network - from LAN interface to phone IP.
*These are consistent with my results on a PC (LAN).-It's not/should not be a 'firewall' issue on the AP. The firewall is off, there is only the wire to a LAN port; again ICMP traffic works from pc to a phone on the AP.
-I have the default allow ANY from the LAN. Again, can ping client on AP so it's not / should not be rule related; again ICMP traffic works from pc to a phone on the AP.
-I CAN ping the AP when the pc joins the AP/wifi network.
-I have no manually set routes on either device. My gateways & dhcp servers for each client is the respective pfsense interface's IP; anything can ping them.
-I also attempted to setup a bridge, but had the same result. No more bridge, no gateway groups, no vlans; no managed switches involved.
-Yes… I could plug the AP into a switch on my LAN ...but WHAT FUN WOULD THAT BE??! Too easy! ;)I'd like this to work for administrative functionality and not have to use a client on the AP/wifi to manage the AP. [Not that there'd be much/anything to do really.] That said, it's the only problem and I can live with it. But dang… I'm puzzled and ANNOYED, hehe. Oh, and there are two options to permit / deny ping on the AP/wifi itself, and neither are checked. Help me restore my sanity. ;)
-
Is your AP still acting as a router and therefore causing double-NAT problems?
Run a packet capture.
Share your network topology.
-
Topology attached. [updated post & image]
AP isn't routing/NAT'ing traffic; WAN port is unused. I did have the AP attached to the unmanaged switch at one point and could ping & access it [http] just fine.
I ran a packet capture. I think ping traffic simple is only a response of yes/no from the client, huh? …regardless of the level of detail or promiscuous?
When I tried capture with HTTP, it just looks like the PC is trying alternate outbound ports to the same target IP (AP) & port (80).
A tracert to the phone goes: pfsense, phone. There is no AP in there. Normal I guess.
-
Is there some reason to hide rfc1918 space - or are you running public IPs?
What are your rules on your interfaces?
-
No public IP's. No fancy rules, just allow outbound ALL from the internal subnets. I do have block bogon set on all interfaces.
EDIT/Update: I did add LAN <-> AP subnet any/all IPV4 for the AP interface/subnet, but that didn't affect being able to ping or bring up the HTTP AP web page from the LAN. *I don't think that rule was required to be able to ping the phone on the AP subnet.
I went ahead and move the AP back to the LAN subnet for testing -> unmanaged switch, and HTTP + ICMP work fine.
I'd like to get it back on the other subnet/interface though for long term.
-
" I do have block bogon set on all interfaces. "
For what possible reason - how could there be bogons in your own local networks?
Why are you hiding your rfc1918 space - just makes harder to understand your network. What are the rules on the interface connected to your AP network? Is this a tagged or untagged vlan on your switch?
-
I think block bogon was set by default?
Updated image with private IP info. No vlan's.
I setup a LAN (source) -> AP (dest) any/all IPV4 rule for the AP interface/subnet, but that doesn't affect being able to ping the AP or bring up the HTTP AP web page (from the LAN).
*This rule doesn't seem to be required to be able to ping the phone on the AP subnet? Traffic is permitted between these subnets by default?
The only rules right now on the are allow any/all from each subnet to any/all.
-
"I think block bogon was set by default? "
Only on your WAN interfaces… Did you happen to set some gateway on an interface on your local side so pfsense thought it was a wan connection?
Does your AP have the ability to have a GW set... It needs to point to pfsense as its gateway 10.8.3.1
-
"Does your AP have the ability to have a GW set… It needs to point to pfsense as its gateway 10.8.3.1"
-It does not. A GW can only be set to regarding the WAN (unused). It does allow static routes to be set; IDK if that'd help?
*Does not seem to be any trouble for devices on the AP subnet to ping my PC for example, on a different subnet."Did you happen to set some gateway on an interface on your local side so pfsense thought it was a wan connection?"
-Possibly? Do you mean... maybe confused it with a legit public IP, which I used for a LAN IP?
EDIT: I'm not using x-over cable for anything; pfsense to unmanaged sw or pfsense to the AP. Other traffic seems to be fine, but could this be a problem?
-
What are u using for ap 3rd party might let u set gateway or if u can set route to your lan network. Other option would be to source nat so traffic from lan looks like pfsense ip in ap net so ap can answer.
Best option get real ap ;)
-
I might put it on the LAN again or get a real AP like you said if accessing it from the LAN becomes annoying. It's just a test setup really, not critical. Also the router/"AP" is pretty outdated, so not worth a lot of trouble. Just wanted to get some input to see if I was missing anything. Thanks!
Here's a thread with a similar issue. OP doesn't say if it's a router as AP or real AP:
https://forum.pfsense.org/index.php?topic=46408.0 -
Dude without a gateway on the device there is no way to talk to from another network
-
Hehe. I popped in a static route on the wifi router/AP and now can hit the web page and ping from the LAN, but it it says:
"You have no authority to access this device!" Doesn't allow alt-networks access to the web config page.
So I thought, hmm… maybe if I add my pc IP to the remote management access (one IP only, boo!) ...and yep, I can reach it now.
This wouldn't be a good option if any other computer needed to get to it though. Back to the LAN or real IP again if this isn't satisfactory.
Thanks again.
-
U should be able add your whole lan net to allow remote admin but why?
