Having LAN issues related to a new switch

KOM

All I am saying is believe me when I tell you that inter-LAN comms go direct without hitting pfSense. Trust me. NOw about those clients?

HansSolo

@KOM

Windows

KOM

Windows firewall will automatically block traffic from a different subnet, but it should allow local traffic. As a test, disable the firewall on both clients and try your ping test again.

Perhaps your Wireguard was running its LAN interface in promiscuous mode and sucking up every packet it saw hitting its buffer.

marvosa

@HansSolo said in Having LAN issues related to a new switch:

So let's say I try to connect to 192.168.0.2 from 192.168.0.3.
I should see a log entry going at least to 192.168.0.2

Incorrect. Traffic will not hit the firewall unless the destination is outside of 192.168.0.0/24. If both PC's are in the same subnet, you can disconnect PFsense altogether and the two devices will still communicate because the switch is flooding the frame to all ports in the same broadcast domain and will forward the frame to the correct port one it learns the MAC address from the destination PC.

If you're having communication issues between two devices in the same subnet, you either have a windows firewall issue or a configuration issue within the software/protocol that you're trying to communicate with.

When you say you cannot communicate between PC's... what exactly are you trying to do?

HansSolo

@KOM

Never. I ALWAYS disabled Promiscuous mode.

But now I'm gonna go back and connect these two to that Firebox just to see.
I'm not sure HOW it logged that traffic. But it did.

KOM

Either the traffic was between different subnets, or the NIC was in promiscuous mode, or some other device was in promiscuous mode and relaying what it saw to the WG box. It has to be something special because tcp/ip works the same way everywhere. Local IPv4 clients find each other via ARP and talk direct.

HansSolo

@marvosa

Hello,

Just trying to get two PC's on a local network share.

KOM

Can you ping from one to the other? Have you disabled both firewalls and tried to ping?

I have to leave for a little bit. BBL.

johnpoz

@HansSolo said in Having LAN issues related to a new switch:

Just trying to get two PC's on a local network share.

As stated already this has ZERO to do with pfsense - ZERO... Other than it being your dhcp server I assume, when it come to device A talking to B that are both on the same network... The router/gateway (pfsense) has ZERO to do with that conversation - zero!!

chpalmer

IF = Then.

If destination address lies within your subnet Then client one goes direct to client two.

If destination address lies outside your subnet Then the client traffic is directed at the gateway address. If and only then.

JKnott

@HansSolo said in Having LAN issues related to a new switch:

Not only can I not communicate between these PC's

That has nothing to do with pfSense. Communication between devices on a local LAN do not pass through it.

akuma1x

@HansSolo
You typed in your original post that all IP addresses are set static. You should go and check all hosts to make sure you typed all the IP addresses in the same subnet and mask. Why don’t you let pfsense DHCP all your network addresses? Then, if you put the hosts on the same physical network, they can all talk to each other, if setup properly.

Jeff

HansSolo

@JKnott said in Having LAN issues related to a new switch:

@HansSolo said in Having LAN issues related to a new switch:

Not only can I not communicate between these PC's

That has nothing to do with pfSense. Communication between devices on a local LAN do not pass through it.

right. Like I said, I think I was losing my mind that evening ;-)
thx

HansSolo

@akuma1x said in Having LAN issues related to a new switch:

@HansSolo
You typed in your original post that all IP addresses are set static. You should go and check all hosts to make sure you typed all the IP addresses in the same subnet and mask. Why don’t you let pfsense DHCP all your network addresses? Then, if you put the hosts on the same physical network, they can all talk to each other, if setup properly.

Jeff

Jeff,
Good question.
LONG ago I set up two totally separate networks, OPT1 and OPT2 for various reasons. I never liked DHCP and never really needed it because my network doesn't have various users or devices coming and going. everything is static and I like the control that you hav with static IPs. That and I have some devices that I need to occasionally access remotely and they need to have static IP's.

akuma1x

You can still do that with DHCP and static reserved addresses in pfsense, really easy.

Jeff

johnpoz

Dhcp has zero to do with users coming and going..

Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.

Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..

And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.

The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.

There is like zero reason not to use dhcp on your network.

HansSolo

@johnpoz said in Having LAN issues related to a new switch:

Dhcp has zero to do with users coming and going..

Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.

Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..

And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.

The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.

There is like zero reason not to use dhcp on your network.

Thanks. So many differing opinions.......
why-is-dhcp-considered-insecure

Server Fault - When NOT to use DHCP

johnpoz

Just like any service it could be considered an attack vector... But for that to happen they have to be able to get on your network.. Is someone plugging in a device and running a dhcp starvation attack on your network... Ie using up all your dhcp leases so that clients can not get an IP? ;)

You need to understand the actual conversation at hand about "possible" risks of a service you are running on your network.. But for you take a blanket stand that service XYZ is insecure.. Without even understanding their conversation and homing in on the words insecure and dhcp is just nonsense..

None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..

You know your car would be more secure (less likely to be stolen) if you drained all its gas when you parked it.. Do you do that?

HansSolo

@johnpoz

@johnpoz said in Having LAN issues related to a new switch:

None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..

Bingo.
Which is why it's just easier for me to use Static IP's in this situation ;-)

If I have to go through the trouble to set up reservations, phooey. Just set them Static once and done.

How about we compare DHCP to the car KEYS? Would you leave those in your car?

edit: Why would I leave my car keys - they are always in my pocket... Leaving them in the car would be extra work. My point of the gas was that is an over the top step for little reward... Just like not running dhcp on your network..

You do understand that an attack that is on your network doesn't need to get an IP from dhcp to find out the IP range of the network... And its not rocket science to discover the gateway IP or the dns server, etc. just from being physically attached.. If your worried about such things then you run nac, and the device has to auth before it can do anything on the network, even get an dhcp address.

johnpoz

@HansSolo said in Having LAN issues related to a new switch:

Just set them Static once and done.

It takes 2 seconds to set up a reservation - way less time for you to setup a static that is for damn sure... Especially on non pc devices.. And as already stated - if you ever wont to change "anything" you now have to go touch each device.

Dude you do what you want - but lets be clear devices on the same network, pfsense has ZERO to do with their conversation.