Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant ping one device unless on same subnet…

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      burnsl
      last edited by

      WHAT in the WORLD is going ON here?!!!

      PFsense 2.3.x

      2 networks:

      192.168.1.0
      192.168.2.0

      Firewall rules allow any 192.168.x.x device to ping any other on any other 192.168.x.x net.
      (Allow from * to *)

      PC on .1
      PC on .2
      Access Point (AP) on .2

      .1 PC cannot ping AP on .2
      .1 PC can ping PC on .2 (or any other device on .2 EXCEPT the AP)

      .2 PC can ping access point on .2
      .2 PC can ping PC on .1 (or any other device on .1)

      See image for visual.

      Drawing1.png
      Drawing1.png_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Is there a default gateway setting in the AP that sends all not-local-subnet traffic to the firewall for routing?

        My guess is you are trying to repurpose a consumer router as an AP and it doesn't have the concept of a default gateway on the inside interface.

        Can you ping 192.168.2.2 from pfSense (Diagnostics > Ping)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          burnsl
          last edited by

          @Derelict:

          Is there a default gateway setting in the AP that sends all not-local-subnet traffic to the firewall for routing?

          Yes.

          That is configured right, gateway is set to 192.168.2.1

          @Derelict:

          My guess is you are trying to repurpose a consumer router as an AP and it doesn't have the concept of a default gateway on the inside interface.

          Oh GOD no!

          This is a dedicated Netgear AP (WNDAP360) - from their enterprise line

          @Derelict:

          Can you ping 192.168.2.2 from pfSense (Diagnostics > Ping)

          Yes.

          …When pinging from the .2 interface.

          HOWEVER…

          When pinging from the .1 interface - NO
          In fact, pinging anything in 192.168.2.2 from the .1 interface ALSO does not work

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Maybe something on the AP that is blocking admin traffic from remote subnets?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              burnsl
              last edited by

              @Derelict:

              Maybe something on the AP that is blocking admin traffic from remote subnets?

              The AP was able to be pinged a year ago and I could always get to the admin login page at its address, but now I get nothing from that address.

              Scanning that address space from .1 i see everything and all ports that are open on devices except the address of the AP.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Pretty much not going to be something on the firewall but something on the AP.

                Packet capture on the 192.158.2.X interface filtering on the AP IP address.

                Ping it from something that it doesn't respond to.

                Stop the capture and post the results here.

                But all that will prove is the above is true. Not the firewall.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by

                  Btw, I have excatly your setup : all my company stuff on LAN, and a guest Wifi on OPT1 : 192.168.2.0/24
                  I'm very able to PING any of my 4 AP's (on OPT1: 192.168.2.2 192.168.2.3 192.168.2.4 etc) from a device (PC) on LAN (example : a PC 192.168.1.3).

                  Just one question : you didn't hooked up your AP using its "WAN" port, did you ?

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    An AP wouldn't have a "wan" port - because a AP doesn't route.. So there would not be any distinction between a wan and a lan..

                    The AP In question
                    https://www.netgear.com/business/products/wireless/business-wireless/wndap360.aspx#tab-techspecs

                    Only has 1 network interface - while it does have a rj45 console port.. It wouldn't work at all for clients if his network was plugged into this port.

                    From a quick look at the manual - I don't see any sort of security were you could enable/block remote access from different network.  The symptoms point to the gateway of the AP being wrong..  Or maybe some possible vlan misconfig is this 192.168.2 network a vlan or is just a normal untagged network?

                    What are your rules on your 192.168.1.0/24 interface in pfsense?  Can you please post them up (screenshot is best)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      burnsl
                      last edited by

                      @Gertjan:

                      Btw, I have excatly your setup : all my company stuff on LAN, and a guest Wifi on OPT1 : 192.168.2.0/24
                      I'm very able to PING any of my 4 AP's (on OPT1: 192.168.2.2 192.168.2.3 192.168.2.4 etc) from a device (PC) on LAN (example : a PC 192.168.1.3).

                      Just one question : you didn't hooked up your AP using its "WAN" port, did you ?

                      NOPE

                      1 Reply Last reply Reply Quote 0
                      • B
                        burnsl
                        last edited by

                        @johnpoz:

                        An AP wouldn't have a "wan" port - because a AP doesn't route.. So there would not be any distinction between a wan and a lan..

                        The AP In question
                        https://www.netgear.com/business/products/wireless/business-wireless/wndap360.aspx#tab-techspecs

                        Only has 1 network interface - while it does have a rj45 console port.. It wouldn't work at all for clients if his network was plugged into this port.

                        From a quick look at the manual - I don't see any sort of security were you could enable/block remote access from different network.  The symptoms point to the gateway of the AP being wrong..  Or maybe some possible vlan misconfig is this 192.168.2 network a vlan or is just a normal untagged network?

                        What are your rules on your 192.168.1.0/24 interface in pfsense?  Can you please post them up (screenshot is best)

                        **No VLAN is in use.

                        AP gateway is 192.168.2.1 (as it should be  - as is the gatewway for all other .2 devices that are pingable)**

                        u1.png
                        u1.png_thumb
                        u2.png
                        u2.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Look.

                          You can blame pfSense and disregard our advice all day long but it is not going to solve your problem.

                          Like I said, pcap it and post that here.

                          If pfSense is sending ICMP to 192.168.2.2 on the correct MAC address and receiving nothing in reply, there is nothing more for it to do and no setting there will fix that.

                          And you should seriously consider upgrading to something current.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Yes I would agree with Derelict here do a simple capture on pfsense to see if the pings are being sent to your AP and the correct mac of the AP.  As he says if your not getting a reply that would have nothing to do with pfsense.

                            From looking at the manual of the AP, it seems it can do packet captures as well - if so you can validate that it seeing the ping or not..

                            Your first 2 lan rules the 192.168.1 interface seem pointless.  How would the 192.168.2 network ever be a source into the lan interface?  And what exactly is the 2nd rule suppose to do since it an allow and then right under that you have a allow any any rule.  So that would be of no use - unless you wanted to log this traffic which you don't seem to have marked on the rule.

                            Also yeah what version of pfsense are you running - that gui for sure is not current version.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • B
                              burnsl
                              last edited by

                              @johnpoz:

                              Also yeah what version of pfsense are you running - that gui for sure is not current version.

                              Agreed we have fallen back to the previous version in our lab to test this as we cannot keep poking at production.

                              I assure you the behavior and configuration is identical though.

                              1 Reply Last reply Reply Quote 0
                              • B
                                burnsl
                                last edited by

                                Also, don't overlook that one point I made earlier about the diagnostic ping…

                                Quote from: Derelict on Today at 01:31:12 am

                                Can you ping 192.168.2.2 from pfSense (Diagnostics > Ping)

                                Yes.

                                ...When pinging from the .2 interface.

                                HOWEVER...

                                When pinging from the .1 interface - NO
                                In fact, pinging anything in 192.168.2.2 from the .1 interface ALSO does not work

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Please stop abbreviating. Use full IP addresses and netmasks.

                                  So, pcap for ICMP to 192.168.2.2 on the 192.168.2.0/24 interface while pinging from 192.168.1.1.

                                  Post that.

                                  This is dead-simple stuff. It all works.

                                  Do you have a gateway set on the pfSense interface for 192.168.2.0/24? If you do, remove it.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    "Do you have a gateway set on the pfSense interface for 192.168.2.0/24? If you do, remove it."

                                    You should not have gateways set on any lan interface 192.168.1 or 192.168.2

                                    And I agree also please you full addresses, or atleast the last two octets..  When you say .2 what do you mean the IP address of the AP or the IP of pfsense 192.168.2 interface which is what 192.168.2.1?

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      burnsl
                                      last edited by

                                      @johnpoz:

                                      "Do you have a gateway set on the pfSense interface for 192.168.2.0/24? If you do, remove it."

                                      You should not have gateways set on any lan interface 192.168.1 or 192.168.2

                                      And I agree also please you full addresses, or atleast the last two octets..  When you say .2 what do you mean the IP address of the AP or the IP of pfsense 192.168.2 interface which is what 192.168.2.1?

                                      There are no default gateways specified on any of the LAN interfaces.
                                      (We build these units for clients and have used them for years.)

                                      Also, the addresses for all of these devices are clearly outlined earlier in this thread in fact, I have provided a Visio diagram that fully documents it.

                                      So, when I refer to .1 and .2 networks I am referring to the networks we established earlier in this thread.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        Yet you still provide no information.

                                        I think I'm done here.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          burnsl
                                          last edited by

                                          @Derelict:

                                          Yet you still provide no information.

                                          I think I'm done here.

                                          I have provided EXCELLENT information in the FIRST POST, and subsequently every time have been asked.

                                          It's OBVIOUS from your request that you haven't read this thread.

                                          There is nothing I haven't provided.
                                          However, you are quite rude, and I agree…. it's best you that you go.

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            burnsl
                                            last edited by

                                            @johnpoz:

                                            Yes I would agree with Derelict here do a simple capture on pfsense to see if the pings are being sent to your AP and the correct mac of the AP.  As he says if your not getting a reply that would have nothing to do with pfsense.

                                            From looking at the manual of the AP, it seems it can do packet captures as well - if so you can validate that it seeing the ping or not..

                                            I'm working on getting the packet captures.

                                            @johnpoz:

                                            Your first 2 lan rules the 192.168.1 interface seem pointless.  How would the 192.168.2 network ever be a source into the lan interface?

                                            **We have those two rules to allow iPads to watch training videos from a video server.

                                            The second is for IP cameras on the .2 interface that that to reach a surveillance server on the .1 network.

                                            The last rule is the default LAN allow rule that allows access from .1 to any of the other networks on the box including the Internet**

                                            @johnpoz:

                                            And what exactly is the 2nd rule suppose to do since it an allow and then right under that you have a allow any any rule.  So that would be of no use - unless you wanted to log this traffic which you don't seem to have marked on the rule.

                                            Okay, with regard to the order of the allow any rule, I would assume that the rules are ordered that was because the rule logic goes "top down", yes?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.