Routing between interfaces/VLANs

techvic

@johnpoz said in Routing between interfaces/VLANs:

And again - are you seeing the same sort of problem from your 150.39 device?

no, indeed on the Windows VM (192.168.150.39) everything works as it should. So there I can ping 192.168.3.1 and can access other hosts on the 192.168.3.0/24 net.

So for testing I connected a physical windows machine to the Wifi on 192.168.150.0/24, where I see the same issue as on the Mac yesterday (nothing to see on the packet capture at all). The machine gets a DHCP lease (192.168.150.21) and has access to the internet, but can't reach any host on 192.168.3.0/24.

Then I connected this machine by cable to the switch to a port with VLAN 3 untagged and PVID 3. There everything works.

So the culprit must be somewhere around the wireless system (TP-Link EAP managed Wifi). How is that possible, that accessing Internet works normal but anything to another net is not passing the Wifi system? here's a packet capture of opening google.com on the client thru Wifi:

17:31:54.819122 IP 143.204.101.25.443 > 192.168.150.21.52711: tcp 411
17:31:54.824123 IP 188.172.219.132.5938 > 192.168.150.21.52647: tcp 24
17:31:54.853304 IP 192.168.150.21.52712 > 143.204.101.114.443: tcp 0
17:31:54.854656 IP 192.168.150.21.56643 > 192.168.150.1.53: UDP, length 46
17:31:54.854834 IP 192.168.150.1.53 > 192.168.150.21.56643: UDP, length 110
17:31:54.861782 IP 192.168.150.21.57307 > 192.168.150.1.53: UDP, length 46
17:31:54.876373 IP 143.204.101.114.443 > 192.168.150.21.52712: tcp 0
17:31:54.879854 IP 192.168.150.21.52712 > 143.204.101.114.443: tcp 0
17:31:54.879907 IP 192.168.150.1.53 > 192.168.150.21.57307: UDP, length 127

Sure I'm aware this is nothing related to pfSense anymore, but any ideas would be appreciated.

johnpoz

@techvic said in Routing between interfaces/VLANs:

that accessing Internet works normal but anything to another net is not passing the Wifi system? here's a packet capture of opening google.com on the client thru Wifi:

Because!! 143.204.25.443 is NOT on a 192.168/16 network - so it would actually send this traffic to the gateway..

When you say wireless.. You sure client is actually getting lease from pfsense? And not your wireless doing nat with 192.168.150 on both sides?

So sniff on pfsense and ping pfsense IP from this client 192.168.150.1 Do you see this traffic in your packet capture? In the sniff check the mac address, validate its your actual clients mac address, and not the mac address of your wireless device.

techvic

I found the culprit: because this GASTLAN is a net for guests, there on the Wifi-settings were "client isolation" enabled. Due to that, it blocked any traffic not bound to the internet. I even wasn't able to ping the gateway 192.168.150.1

Thank you very much for your patience and not giving up to find the solution till the end. Thats very rare nowadays

johnpoz

But WTF was arping 3.1??? That makes no sense at all.

Not sure how your doing your wifi - but why would it be set to a guest, when its a specific vlan already.. Which you control at pfsense..

techvic

@johnpoz said in Routing between interfaces/VLANs:

Not sure how your doing your wifi - but why would it be set to a guest, when its a specific vlan already.. Which you control at pfsense..

thats why I disabled that feature now > not needed.

@johnpoz said in Routing between interfaces/VLANs:

But WTF was arping 3.1??? That makes no sense at all.

It's TP-Link, China quality, wouldn't surprise me if it's just a bug (wouldn't be the first one). Or is it a hidden spy feature?

johnpoz

What IP is on the tplink device - maybe its mask is wrong?

JeGr

@johnpoz said in Routing between interfaces/VLANs:

What IP is on the tplink device - maybe its mask is wrong?

Or the VLAN isolation isn't throrough and leaking through. I thought to remember sth like that from the smallest TP-Link Switches a few years ago...

JKnott

@JeGr said in Routing between interfaces/VLANs:

Or the VLAN isolation isn't throrough and leaking through. I thought to remember sth like that from the smallest TP-Link Switches a few years ago...

And also TP-Link access points. I have one here and can't configure a 2nd SSID because of leaks between VLAN and native.