Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireless clients receive dynamic IP from pfSense, but blocked from Internet

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fperloff
      last edited by

      In the setup described below, wired clients receive a dynamic IP address from the pfSense box and can reach the internet. Wireless clients receive a dynamic IP address from the pfSense box, but don't receive ping replies from the internet.

      I looked in the firewall log, but I only saw blocked UDP packets on the WAN interface. Are there other logs I should inspect?

      cable modem –> WAN NIC of pfSense --||-- LAN NIC of pfSense --> switch <-- LAN port of Netgear wireless router  (WAN port of wireless router has nothing connected)

      pfSense:

      • old computer with two NICs
      • has active DHCP server

      wireless router:

      • has inactive DHCP server
      • has internal (LAN) address in same subnet as pfSense firewall
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You are sure they are getting IP from pfsense??  Can they ping the pfsense IP on the lan?  Do you see them in the pfsense dhcp lease table, do you see their ip in the arp table?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          fperloff
          last edited by

          Yes - there is only one DHCP server on the network, and it is the pfSense. I used a couple of tools on an Android client, and confirmed that the client has the pfSense as its Gateway and DNS server on the WiFi interface. The pfSense DHCP leases table shows an active lease for the client's WiFi interface MAC address. I see the client's IP in the ARP table. If I turn off the cellular interface, I can ping the pfSense LAN address.

          Ah - I just discovered that on WiFi, I can ping an Internet IP, but I can't ping the corresponding hostname. Looks like a problem with DNS. Hmm, why would a wireless client not be able to resolve a host on its WiFi interface, while a wired client does just fine? Why would the wireless interface fail to resolve a hostname, while the cellular interface be successful?

          Any ideas?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • F
            fperloff
            last edited by

            I resolved the problem by adding the IP addresses of my DNS servers to the Services / DHCP Server / LAN page, in the Servers / DNS Servers box.
            Evidently having the exact same DNS Server addresses in System / General Setup was not sufficient.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The General Setup DNS servers are for the firewall to resolve names.

              If you do not have any DNS servers defined in the DHCP server it will serve the interface address if DNS resolver or DNS forwarder are configured.

              If neither are configured it will serve the DNS servers defined in General Setup.

              This is not a guessing game. You should be able to look at the DNS servers that were given to the clients and whether they can or cannot resolve names. If they cannot you would investigate why they cannot.

              Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.