Can't get additional interface to work

brannenj · Jan 15, 2017, 8:21 PM

I don't need that interface to be accessible from the 192.168.1.XXX network. I understand what you're saying about the ping, but it still doesn't explain why the cameras, which have no connection to 192.168.1.0/24 can't get on. So setting up a rule to make sure that traffic passes from 192.168.1.0/24 through to 10.10.10.100 isn't something I really want to put in place, and it doesn't help me troubleshoot my core issue.

Unfortunately, the cameras don't have a diagnostic feature to ping an IP. At first I thought it was just that my NTP setup was hosed, but I don't think that's the case. In any event, here's the LAN rule for 192.168.1.0/24:

brannenj · Jan 15, 2017, 8:24 PM

@Derelict:

Try to ping 10.10.10.1 from the LAN side then go to Status > System Logs, Firewall and filter on destination 10.10.10.1

Anything show up there?

Click the red x if you see blocks. That will tell you which rule blocked it.

Nope, nothing to do with that ping request, anyway….

Derelict · Jan 15, 2017, 8:40 PM

Do the cameras have a default gateway set? Is it the pfSense interface?

Does a laptop on 10.10.10.0/24 get a DHCP address? Can it ping 10.10.10.100? Get out to the internet? Can it ping 10.10.10.101? Access that server?

Did you (or someone else) turn on manual outbound NAT? If so did you add outbound NAT for source 10.10.10.0/24? (This will have zero to do with pinging 10.10.10.100 from that subnet)

Your problem is virtually 100% not pfSense with those rules in place on those interface. Unless there are some cockamamie rules on the Floating tab or a captive portal you haven't said anything about or IPsec traffic selectors that match or something else that might suck up the traffic)

brannenj · Jan 15, 2017, 8:54 PM

@Derelict:

Do the cameras have a default gateway set? Is it the pfSense interface?

Yes, it is the 10.10.10.100 interface.

Does a laptop on 10.10.10.0/24 get a DHCP address? Can it ping 10.10.10.100? Get out to the internet? Can it ping 10.10.10.101? Access that server?

DHCP isn't running on that interface, but I'll assign a laptop a free static address and try that in a bit.

Did you (or someone else) turn on manual outbound NAT? If so did you add outbound NAT for source 10.10.10.0/24? (This will have zero to do with pinging 10.10.10.100 from that subnet)

Negative.

Your problem is virtually 100% not pfSense with those rules in place on those interface. Unless there are some cockamamie rules on the Floating tab or a captive portal you haven't said anything about or IPsec traffic selectors that match or something else that might suck up the traffic)

Shouldn't be any of that crazy mess going on. Most of what I use the firewall for is controlling access my kids' devices have at bed time and such.

Derelict · Jan 15, 2017, 9:12 PM

Beginning to suspect johnpoz was right and your VLAN 2 is not set up correctly at all.

@johnpoz:

Wrong setup on your switch would be first guess.

brannenj · Jan 15, 2017, 9:28 PM

@Derelict:

Beginning to suspect johnpoz was right and your VLAN 2 is not set up correctly at all.

@johnpoz:

Wrong setup on your switch would be first guess.

It's just a simple port based VLAN. That was honestly my first thought….that I had bungled that and plugged the 10.10.10.100 patch cable into the other side of the switch, so that it was segregated. It's a 24 port switch, half of which are PoE for the cameras. So I have ports 1-12 for the security network, and ports 13-24 for the regular LAN. I have verified that pfSense is connected to the correct group of ports.

I connected a laptop with a statically assigned IP address of 10.10.10.9, mask of 255.255.255.0, and gateway of 10.10.10.100 (the interface in question). Same result. I can ping cameras, I can ping the server at 10.10.10.101, but I can't hit the pfSense interface at 10.10.10.100. I can't ping 8.8.8.8 either, but that's not a surprise since I can't get to the firewall either....

brannenj · Jan 15, 2017, 10:26 PM

When I have a chance, I think I will enable DHCP on that interface, and then plug a laptop directly into the patch cable and see what happens.

Derelict · Jan 15, 2017, 11:36 PM

If you cannot ping 10.10.10.100 from a PC on that network on, say, 10.10.10.150/24, DHCP will not work either.

This isn't a guessing game. If that doesn't work, your switching (layer 2) is hosed.

brannenj · Jan 15, 2017, 11:44 PM

@Derelict:

If you cannot ping 10.10.10.100 from a PC on that network on, say, 10.10.10.150/24, DHCP will not work either.

This isn't a guessing game. If that doesn't work, your switching (layer 2) is hosed.

That's why I'm going to just connect directly to the NIC with a patch cable, and take the switch out of the equation.

If it does, then the next question is to why switching works fine on that switch between cameras and the server, and pfSense seems to be the odd man out.

brannenj · Jan 16, 2017, 12:10 AM

And it looks live I've stumbled upon the problem, just trying enable DHCP.

For some reason, the interface address was set to 10.10.10.100**/32**. I only realized that when I went to enable DHCP, and the available range was as the attached picture. No idea why it was set this way. Changing the IP address to 10.10.10.100/24 allowed the DHCP range to open up, and now I can ping the interface.

![IP address.JPG](/public/imported_attachments/1/IP address.JPG)
![IP address.JPG_thumb](/public/imported_attachments/1/IP address.JPG_thumb)

Derelict · Jan 16, 2017, 12:20 AM

That'll do it. good deal.

brannenj · Jan 16, 2017, 9:53 PM

I figured it was probably something stupid…fat fingering the mask was a sure way to get there.

Thanks for all of your help!