Hosts on LAN can't connect to each other, but can reach Internet and pfsense.

seanmcb

Hello,

Setting up pfsense for the first time. The web interface works at 192.168.4.1. It correctly hands out 192.168.4.x IPs to one computer plugged in, and to one over wifi.  Both these computers can visit the pfsense web UI and both can connect to the public Internet.  However, neither can ping the other.  Bonjour/zeroconf seems to work between machines though, because the macOS Finder shows their samba Shares, but I can't connect over Samba and can't even ping:

$ ping 192.168.4.9
PING 192.168.4.9 (192.168.4.9): 56 data bytes
Request timeout for icmp_seq 0

I'm not sure where I should be looking to debug this…  Any suggestions?  Thanks.

Derelict

Traffic on the same subnet isn't handled by the firewall at all.

Assuming a /24 netmask, if 192.168.4.8 wants to communicate with 192.168.4.9 it ARPs for the MAC address and sends the traffic directly.

If 192.168.4.8 wants to send traffic to something outside 192.168.4.0/24 it consults its routing table which generally consists only of the default gateway. It then ARPs for the MAC address of the next hop gateway and sends the traffic there to be routed as needed.

How is your wifi provided?

seanmcb

Thanks for your reply and info. I've read up on ARP a bit, and tried 'arp -a -l' on my Mac, and see other IPs and MACs that I expect. The pfsense's Diagnostics>ARP Table looks right too.  To eliminate the difference of one Mac being plugged by ethernet and the other connected by Wifi, I also connected the first by Wifi too now, and also did 'sudo arp -d -a'.  Now 'arp -a -l' seems to fail to get a MAC address:

$ arp -a -l
Neighbor                Linklayer Address Expire(O) Expire(I)    Netif Refs Prbs
pfsense.localdomain    2:3:45:AB:CD:EF    40s      38s            en2    1
192.168.4.9            (incomplete)      (none)    (none)        en2

My wifi is provided by my pfsense SG-2220 <https: store.pfsense.org="" sg-2220="">which is also the device doing DHCP.

So my situation now seems to be: two Macs both connected by Wifi to an SG-2220 can each see the Internet and the pfsense, but arp on one Mac doesn't find the MAC address of the other Mac.</https:>

johnpoz

wifi to wifi communication is what your talking about? And this can be blocked with isolation.  Pfsense calls it

https://doc.pfsense.org/index.php/Wireless_Details

Allow intra-BSS communication: Check this to allow wireless clients to contact each other

stephenw10

If your wifi is also being provided by the SG-2220 does it have a wireless interface directly? (mini-PCIe card and antennas in the case?)

If so I assume you bridged the wifi and LAN interfaces in order to get them on the same subnet. In that situation you need firewall rules to allow traffic between the wifi and Ethernet segments.

For both clients on wifi see what johnpoz wrote ^.

Steve

jahonix

@stephenw10:

… assume you bridged the wifi and LAN interfaces ... you need firewall rules to allow traffic between the wifi and Ethernet segments

…unless you use these "System Tunables":
net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface

BTW: does this mean that setting both to '0' will lead to no filtering at all?

Derelict

I have never done that but I would think that would mean all rules on both the member interfaces and the bridge interface are ignored.