Having LAN issues related to a new switch



  • Hi again,
    Today I believe I have lost my mind. Something so simple my pet poodle could probably figure it out is beyond me today.

    I have a little 6 port switch. DGS-1005G
    I have 2 PCs connected to the switch via Cat5 cables
    I have the LAN interface of the Pfsense box connected to the switch via a Cat5 cable

    All IPs are static (manually set) to the same network/mask.
    Lets say the IP address of the LAN Interface is 192.168.0.2
    Let's say IP address of PC 1 is 192.168.0.3
    Let's say IP address of PC 2 is 192.168.0.4
    Let's say the subnet is 255.255.255.0

    Not only can I not communicate between these PC's
    I cannot even get pfsense to show any ATTEMPTS to connect from either PC to the other in the logs.

    I CAN however connect to the Internet from either PC

    So, lemme have it...cause I know I've totally fallen off the ship but I'm blank.
    I should not drive today.....I might not remember that those red lights mean "Stop".
    Did I totally forget how a Switch works?
    Did I forget the Golden Rule of Networking?



  • Im betting your PC firewalls are blocking things. Are your interfaces labeled public or private on their firewalls?



  • @chpalmer

    will check both. thx



  • Inter-LAN traffic does not hit the firewall at all, so this is not a pfSense issue. As chpalmer said, it could be client firewalls.



  • @KOM

    But LAN-Interface to any LAN Device & vice--versa does. At least in MY setup it does.
    So I should still see it between LAN Interface and device even if not LAN Device to LAN Device.



  • I don't understand what you mean. All clients on the same network talk directly to each other. They only need to talk to pfSense if the traffic needs to be routed to a different network. Since your two clients are on the same LAN, they talk directly to each other via the switch. Their traffic is never even seen by pfSense LAN interface at all.



  • @KOM

    Taken directly from the logs a few seconds ago.....

    May 14 19:03:01 LAN LAN allow (1557864558) 192.168.0.103:53837 192.168.0.2:3406 TCP:S

    As I said, traffic from LAN-Interface to any LAN-Device and vice-versa IS logged.
    So, I should at least see the PC going to the Interface.....but for these connections I do not.
    That's what's got me puzzled.

    So let's say I try to connect to 192.168.0.2 from 192.168.0.3.
    I should see a log entry going at least to 192.168.0.2



  • That means that the client was trying to open a connection (SYN) to pfSense LAN, for whatever reason. That doesn't show it using pfSense to talk to the other client.

    Look, this is basic networking. You asked for help. Why are you now arguing?

    What are these clients? Windows? Linux? Mac?...



  • @HansSolo said in Having LAN issues related to a new switch:

    So let's say I try to connect to 192.168.0.2 from 192.168.0.3.
    I should see a log entry going at least to 192.168.0.2

    No, you should not. Or at least not unless you've got a port-forward in place that NATs some external IP back into your LAN to the other client.



  • @KOM

    arguing?
    My my. Am I coming across that way? Sry. Your help is appreciated.

    I guess what's going on here is that the WG Fireboxes I came from ALWAYS logged this traffic.
    I'm used to seeing it.
    I guess it's just something else I have to adjust to.
    Annnnnd maybe I just realized why it might have......hmmmm

    Buit you're right....how can it log traffic that isn't going through it?



  • All I am saying is believe me when I tell you that inter-LAN comms go direct without hitting pfSense. Trust me. NOw about those clients?



  • @KOM

    Windows



  • Windows firewall will automatically block traffic from a different subnet, but it should allow local traffic. As a test, disable the firewall on both clients and try your ping test again.

    Perhaps your Wireguard was running its LAN interface in promiscuous mode and sucking up every packet it saw hitting its buffer.



  • @HansSolo said in Having LAN issues related to a new switch:

    So let's say I try to connect to 192.168.0.2 from 192.168.0.3.
    I should see a log entry going at least to 192.168.0.2

    Incorrect. Traffic will not hit the firewall unless the destination is outside of 192.168.0.0/24. If both PC's are in the same subnet, you can disconnect PFsense altogether and the two devices will still communicate because the switch is flooding the frame to all ports in the same broadcast domain and will forward the frame to the correct port one it learns the MAC address from the destination PC.

    If you're having communication issues between two devices in the same subnet, you either have a windows firewall issue or a configuration issue within the software/protocol that you're trying to communicate with.

    When you say you cannot communicate between PC's... what exactly are you trying to do?



  • @KOM

    Never. I ALWAYS disabled Promiscuous mode.

    But now I'm gonna go back and connect these two to that Firebox just to see.
    I'm not sure HOW it logged that traffic. But it did.



  • Either the traffic was between different subnets, or the NIC was in promiscuous mode, or some other device was in promiscuous mode and relaying what it saw to the WG box. It has to be something special because tcp/ip works the same way everywhere. Local IPv4 clients find each other via ARP and talk direct.



  • @marvosa

    Hello,

    Just trying to get two PC's on a local network share.



  • Can you ping from one to the other? Have you disabled both firewalls and tried to ping?

    I have to leave for a little bit. BBL.


  • LAYER 8 Global Moderator

    @HansSolo said in Having LAN issues related to a new switch:

    Just trying to get two PC's on a local network share.

    As stated already this has ZERO to do with pfsense - ZERO... Other than it being your dhcp server I assume, when it come to device A talking to B that are both on the same network... The router/gateway (pfsense) has ZERO to do with that conversation - zero!!



  • IF = Then.

    If destination address lies within your subnet Then client one goes direct to client two.

    If destination address lies outside your subnet Then the client traffic is directed at the gateway address. If and only then.



  • @HansSolo said in Having LAN issues related to a new switch:

    Not only can I not communicate between these PC's

    That has nothing to do with pfSense. Communication between devices on a local LAN do not pass through it.



  • @HansSolo
    You typed in your original post that all IP addresses are set static. You should go and check all hosts to make sure you typed all the IP addresses in the same subnet and mask. Why don’t you let pfsense DHCP all your network addresses? Then, if you put the hosts on the same physical network, they can all talk to each other, if setup properly.

    Jeff



  • @JKnott said in Having LAN issues related to a new switch:

    @HansSolo said in Having LAN issues related to a new switch:

    Not only can I not communicate between these PC's

    That has nothing to do with pfSense. Communication between devices on a local LAN do not pass through it.

    right. Like I said, I think I was losing my mind that evening ;-)
    thx



  • @akuma1x said in Having LAN issues related to a new switch:

    @HansSolo
    You typed in your original post that all IP addresses are set static. You should go and check all hosts to make sure you typed all the IP addresses in the same subnet and mask. Why don’t you let pfsense DHCP all your network addresses? Then, if you put the hosts on the same physical network, they can all talk to each other, if setup properly.

    Jeff

    Jeff,
    Good question.
    LONG ago I set up two totally separate networks, OPT1 and OPT2 for various reasons. I never liked DHCP and never really needed it because my network doesn't have various users or devices coming and going. everything is static and I like the control that you hav with static IPs. That and I have some devices that I need to occasionally access remotely and they need to have static IP's.



  • You can still do that with DHCP and static reserved addresses in pfsense, really easy.

    Jeff


  • LAYER 8 Global Moderator

    Dhcp has zero to do with users coming and going..

    Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.

    Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..

    And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.

    The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.

    There is like zero reason not to use dhcp on your network.



  • @johnpoz said in Having LAN issues related to a new switch:

    Dhcp has zero to do with users coming and going..

    Most of the time a device will always have the same IP even with dhcp, unless there are more devices than leases and you have device on and off all the time.

    Once a device gets a IP via lease - he will continue to renew that IP.. He will even ask for it again when shut off.. The way the dhcpd works is even if that box has been off for really long time - he will still get that IP back because the dhcpd doesn't reuse that lease until he has ran out of other IPs and it has expired, etc..

    And you can just always set a reservation for specific device mac address - no that device will always be that IP via dhcp.

    The benefit of dhcp is now you can change all your devices to new IP range if so desired without having to actually touch them.. You could change the dns they point to, or the gateway or their domain they use for search suffix, the ntp server they point to, etc. etc.. All without actually having to go touch the physical device.

    There is like zero reason not to use dhcp on your network.

    Thanks. So many differing opinions.......
    why-is-dhcp-considered-insecure

    Server Fault - When NOT to use DHCP


  • LAYER 8 Global Moderator

    Just like any service it could be considered an attack vector... But for that to happen they have to be able to get on your network.. Is someone plugging in a device and running a dhcp starvation attack on your network... Ie using up all your dhcp leases so that clients can not get an IP? ;)

    You need to understand the actual conversation at hand about "possible" risks of a service you are running on your network.. But for you take a blanket stand that service XYZ is insecure.. Without even understanding their conversation and homing in on the words insecure and dhcp is just nonsense..

    None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..

    You know your car would be more secure (less likely to be stolen) if you drained all its gas when you parked it.. Do you do that?



  • @johnpoz

    @johnpoz said in Having LAN issues related to a new switch:

    None of those such concerns would come into play in some home setup with a 5 port switch like a DGS-1005G..

    Bingo.
    Which is why it's just easier for me to use Static IP's in this situation ;-)

    If I have to go through the trouble to set up reservations, phooey. Just set them Static once and done.

    How about we compare DHCP to the car KEYS? Would you leave those in your car?

    edit: Why would I leave my car keys - they are always in my pocket... Leaving them in the car would be extra work. My point of the gas was that is an over the top step for little reward... Just like not running dhcp on your network..

    You do understand that an attack that is on your network doesn't need to get an IP from dhcp to find out the IP range of the network... And its not rocket science to discover the gateway IP or the dns server, etc. just from being physically attached.. If your worried about such things then you run nac, and the device has to auth before it can do anything on the network, even get an dhcp address.


  • LAYER 8 Global Moderator

    @HansSolo said in Having LAN issues related to a new switch:

    Just set them Static once and done.

    It takes 2 seconds to set up a reservation - way less time for you to setup a static that is for damn sure... Especially on non pc devices.. And as already stated - if you ever wont to change "anything" you now have to go touch each device.

    Dude you do what you want - but lets be clear devices on the same network, pfsense has ZERO to do with their conversation.



  • @johnpoz

    Dude you do what you want - but lets be clear devices on the same network, pfsense has ZERO to do with their conversation.

    Got it. thanks
    As for the other points, your opinions are appreciated. it's just that I read opinions from other experts on StackExchange, ServerFault etc who's opinions may be different from yours.

    Don't get upset.


  • LAYER 8 Global Moderator

    I am not upset.. I understand the statements of sure dhcpd is an attack vector.. Not using it to reduce that attack vector comes with its own cost - is that cost worth the removal of that specific attack vector..

    Sorry but NO I am not going to only use static on my network to reduce the possibility of those attacks... Since they have no real possibility in the real world to be used on my network. And to be honest their other easier ways to mitigate that specific sort of attack anyway - if that was the concern..

    All steps to "secure" something come with a cost, extra effort, loss of functionality or ease of use, etc. etc.. You need to weigh the actual "risk" of some attack vector with the cost of specific method of mitigation of said risk... Sorry but the risk of possible nefarious use of the dhcp protocol is not high enough to warrant not using it.

    If you only have 2 devices on your network and you don't want to use dhcp - sure have fun with that. But I have 40+ devices on my network... And then device that come and go all the time that our outside my control... What going to show my guest that wants to use my wifi how to setup static IP and dns on their phone?

    You try setting up a static on say a nest protect smoke alarm - it has no interface at all.. So how you going to do that? ;) Setting a static on my printer is running through click menus with arrow buttons and tiny lcd screen... To set numbers you have to click 1,2,3, etc.. Setting it via dhcp takes all of 2 seconds... It gets a lease - I see the lease on pfsense - click the static reservation button.. put in the IP there you go printer when it renews gets the new IP..

    Cost of mitigation of risk vs level of risk always come into play.



  • @johnpoz said in Having LAN issues related to a new switch:

    I am not upset.. I understand the statements of sure dhcpd is an attack vector.. Not using it to reduce that attack vector comes with its own cost - is that cost worth the removal of that specific attack vector..

    Sorry but NO I am not going to only use static on my network to reduce the possibility of those attacks... Since they have no real possibility in the real world to be used on my network. And to be honest their other easier ways to mitigate that specific sort of attack anyway - if that was the concern..

    All steps to "secure" something come with a cost, extra effort, loss of functionality ore ease of use, etc. etc.. You need to way the actual "risk" of some attack vector with the cost of specific method of mitigation of said risk... Sorry but the risk of possible nefarious use of the dhcp protocol is not high enough to warrant not using it.

    If you only have 2 devices on your network and you don't want to use dhcp - sure have fun with that. But I have 40+ devices on my network... And then device that come and go all the time that our outside my control... What going to show my guest that wants to use my wifi how to setup static IP and dns on their phone?

    You try setting up a static on say a nest protect smoke alarm - it has no interface at all.. So how you going to do that? ;) Setting a static on my printer is running through click menus with arrow buttons and tiny lcd screen... To set numbers you have to click 1,2,3, etc.. Setting it via dhcp takes all of 2 seconds... It gets a lease - I see the lease on pfsense - click the static reservation button.. put in the IP there you go printer when it renews gets the new IP..

    Mitigation of risk vs level of risk always come into play.

    I use Roost smoke alarms. They're on Wifi and work great. Cost a LOT less too ✌


  • LAYER 8 Global Moderator

    @HansSolo said in Having LAN issues related to a new switch:

    Roost smoke alarms

    Ok sure - great, how do you set those to use a static IP address.. Sure looks more painful that just setting a lease for it ;) if even possible..

    My point was not the make or model of the device, but that some devices do not support static even.. Or no simple easy way to do it.. Also once you put any static devices on your network... To make any sort of simple change to your network - you have to touch each device..

    Again cost of mitigation of risk.. Do you really think the "risk" of using dhcp on your network out weighs the benefits that it brings.. And the reason you don't run it is because of said "risk" ??

    I can change my whole network over to different space with a few clicks in the pfsense web gui.. I can point specific clients to different dns, or even different gateway or hand them ntp server all from simple gui of pfsense without having to touch any devices specific... Nor do the devices even need to be on or connected to the network - next time they do connect they will get the new info, etc..

    You don't run dhcp because your worried some one is going to connect to your network - and then use that to attack you.. Really?



  • @johnpoz said in Having LAN issues related to a new switch:

    You don't run dhcp because your worried some one is going to connect to your network - and then use that to attack you.. Really?

    No, that's not really why.

    Cool. I'm learning a lot here. Your posts are very helpful. Keep up the good work Jon 👍

    On the smoke detectors, I don't communicate back to them....they just send the alert over wifi.
    So they don't need static IP's. Just network access outbound.


  • LAYER 8 Global Moderator

    @HansSolo said in Having LAN issues related to a new switch:

    So they don't need static IP's. Just network access outbound.

    So you run dhcp for them..

    So your at risk of dhcp attacks on this network.. ;) Since its so insecure..

    I think there is lack of understanding of how dhcp works if you think a clients IP that is dhcp is going to be changing all the time.. Even if you don't set a reservation a client once it gets an IP will almost always keep that same IP..

    So lets say you are using a /24 on your local network the default 192.168.1/24.. Lets say you limit the scope from the full .2 to .254 range to say .100 to .200 so you have 100 addresss to work with in your pool..

    So client A connects and it gets .100, B comes on and gets .101... Lets say your lease is for 24 hours... So every 12 hours clients will ask hey can I renew this address .100 or .101 and the dhcp server will say sure its yours for another 24 hours..

    Now lets say A gets turned off and 23 hours later C comes on the network - he will get .102, dhcpd is not going to hand out .100 to him because the lease to A is still active..

    Lets say its 2 weeks later and A has been off this whole time, and now D comes online.. Does dhcpd give out .100?? No because he has plenty of never used IPs left in the pool so D gets .103..

    So until such time that all the IPs have been given out to .200 no previous IPs will be handed out to "new" clients..

    Now lets say dhcp has worked all they way through .200 handing out IPs.. And all the leases are used - now client ZZ connects and wants and IP.. Then sure it will look to its "expired" leases and say hey .100 expired long time ago.. he has not been back.. Here you can use .100

    Now if .100 comes back after that and says hey can I get .100 - no you can not.. Here is another IP in the pool I can give you..

    So even without setting reservations unless you have more clients than your scope, your dhcp clients will always get the IP they had from the first time they connected... Unless of course you clear the old leases out of the dhcpd, and or your client doesn't request his old IP back... But if the dhcpd still has his old expired lease there and even if the client doesn't request his old IP - the dhcpd should give him back his old IP since there is an old lease that had not been reused by some other client/mac.

    You set a reservation in dhcpd for a specific mac - more so to set an IP outside of the scope that you know for a FACT will be that specific clients IP on that network.. And also now allow you to call out different things for that specific client that is different than your normal scopes options.

    Even if you have more clients on your network than you have dhcp space for - they are always coming and going if you set the client to register his IP with your dns you don't have to worry if the clients IP is not static, you an always just query its name.

    Setting static so you can use port forwards or what not - I think comes from people that do not understand how the protocol works or basing their advice on what they see from their ISP public IP where that might change every day when they use to dial up into aol or something.

    Also setting a dhcp reservation removes the possibility of the dhcp server from handing out that IP to any other client that does not have the mac address.. Even if his pool is exhausted he will not hand out that IP to any other client.. So its the same as setting a static on the device - yet all the flexibility of dhcp.



  • @HansSolo

    I just read that article about DHCP risk. It strikes me as more along the lines of what you'd hear from those anti-vaxxers. Do you understand how DHCP actually works? Since it initially uses broadcasts, the attacker would have to be on the local LAN and, as mentioned in the article, that means you already have a bigger problem without worrying about DHCP. In short, if there's a risk with DHCP, it's because your security has already failed, allowing the attacker in



  • @johnpoz said in Having LAN issues related to a new switch:

    Setting static so you can use port forwards or what not - I think comes from people that do not understand...

    @johnpoz - Will you please clarify, in your post, setting static where? On the firewall (pfsense), or on the client/host?

    Jeff


  • LAYER 8 Global Moderator

    Setting static anywhere... Unless your ISP is doing something really wonky, even dhcp from your ISP would stay the same.. And even if that doesn't - that is the whole point of dynamic dns.

    My comment was made towards the OP comment that he has need to get to his devices, etc.. so he sets a "static" ip on them.. This is lack of understanding of how dhcp actually works is all.

    Unless your connecting to some public network like at starbucks or something where there are hundreds or even 1000's of more devices using the network than what the dhcp scope is setup - unless your client actually relinquishes the lease or is offline for extended period.. Typically the client will maintain the same IP they have always gotten..

    In a home setup with a handful of devices and a /24 scope.. Its almost impossible that a dhcp client would get a different IP then the first one it gets when first joining the network.. Unless old leases are removed from the dhcpd, and or dhcp server changes, etc. etc..

    btw for clarity if I say set a static - I mean on the device, if done with dhcp then to me that is a "reservation" - this term static dhcp is an oxymoron...


Log in to reply