No Internet from WIFI connection on Router from 2nd LAN subnet



  • Hi everyone,

    I have 3 physical interfaces on my pfsense box.

    WAN
    LAN = 10.1.10.0/24 , interface ip4v = 10.1.10.1/24
    DEVICES_LAN = 10.1.13.0/24, interface ipv4 = 10.1.13.1/24

    DEVICES_LAN just has an ASUS router with DHCP enabled connected to it (Connected to the non-WAN port on the router). This will just be for connecting cameras, smart devices, game consoles, etc.

    When I connect to the wifi from the router on DEVICES_LAN using my smartphone, it never gets internet. It will get the correct LAN IP in the 10.1.13.0/24 subnet.

    Below are the ASUS router details I configured and firewall/NAT rules. Do you guys see what the issue is? The only thing I can think of is maybe my DNS or default gateway is wrong but I just playing around with it to no success.

    Router LAN IP:

    094b9358-dde2-4004-b7a3-71b549f6624e-image.png

    Router DHCP Server:

    30d68279-e9af-4403-acc9-9bcb9bd7cce0-image.png

    PFSENSE FIREWALL:

    2ae3ed12-ccd6-47fc-8d82-f4c46f52f65e-image.png

    PFSENSE OUTBOUND NAT:

    8272691a-986b-438e-8141-e5a0e2fe3288-image.png

    Thank you for your help and let me know if you need any other information. I'll continue playing around and update if I find the fix.



  • hmm, I changed the DNS server to an eternal one 8.8.8.8 and internet is working! (I'm pretty sure I tried this before and it didn't work but maybe I changed another setting inbetween that time).

    Not sure if that is proper though.. Does this mean it is skipping over my security in the firewall like pfblockerng?



  • Assuming you're using the resolver, my guess is you need to add an ACL to allow queries from the 10.1.13.0/24 subnet. Also, you need to verify that the resolver is listening on the "DEVICES_LAN" interface.

    And yes... using 8.8.8.8 will send your client's queries to google which will bypass any security settings, filtering, DNSBL, etc being leveraged by the resolver.



  • @marvosa Thank you, I will try that. I am indeed using DNS resolver. I believe it is listening to all interfaces/networks right now.

    I'll report back on my results!



  • @marvosa That worked! I added the ACL for 10.1.13.0/24 and then I set the DNS server as 10.1.13.1 (the ip of my Device_LAN interface on pfsense. Thanks marvosa!



  • @marvosa Interesting, actually I don't think I needed the ACL. I deleted it and internet it still working. Maybe I just needed to change the DNS server to 10.1.13.1.


  • Netgate Administrator

    Yeah, I'm not sure why you set it to 10.1.10.1 initially? By default it would use the interface IP, 10.1.13.1 in this case.
    I'm not sure that last time I tested something like that but it expects queries to come from IPs in the same subnet.

    Is there any reason you're not using pfSense as the dhcp server for that subnet?

    Steve



  • @stephenw10 Hey Steve! I'm not sure why I did that either..lol.

    In regards to using pfSense as my DHCP for the subnet - no reason really, I thought i'd just set the ASUS router to be the DHCP server and separate it from my pfSense box. Would you say that is more or less secure? (or better or worse).

    I can change pfSense to my DHCP for that subnet, if you guys think its better/more secure. On my other subnet my windows server is the DHCP server for the 10.1.10.0/24 subnet.

    Thanks!



  • @techgeek055 said in No Internet from WIFI connection on Router from 2nd LAN subnet:

    I can change pfSense to my DHCP for that subnet, if you guys think its better/more secure. On my other subnet my windows server is the DHCP server for the 10.1.10.0/24 subnet.

    Personally, I like to manage all my scopes in one place. So, if you already have Windows Server providing DHCP on another subnet, I would disable DHCP/DNS on your ASUS, create a new scope on your Windows server and then enable DHCP relay on the "DEVICES_LAN" interface and point it at your windows server. This way your Windows Server will provide DHCP for both segments of the network and both scopes will be centrally managed.



  • @marvosa I would love to do that! Althought the last time I tried, I failed. I will give it another try with your pointers. Hopefully it goes well :(



  • @marvosa I added the DHCP relay on my 10.1.13.1 interface and pointed it to my 10.1.10.8 dhcp server, disabled dhcp server option on my asus router but wifi just hangs on "Obtaining IP Address..."

    Are there any other settings you can think of that I may need to configure?



  • A few things I can think of:

    • Verify that the DHCP relay is bound to the correct interface
    • Verify the LAN interface has firewall rules to allow communication to the DEVICES_LAN interface
    • Verify the new scope is active on your Windows Server

    After verifying the above, either reboot or do an ipconfig /release and ipconig /renew on all your clients or they will continue to contact the last DHCP server they previously connected to until 1/2 the lease expires.



  • Confirmed that:

    1. DHCP relay is on my Devices_LAN

    2. LAN Firewall is currently allowing everything
      bc69ba9a-3ca0-4de5-85a5-efe27c58ab4f-image.png

    3. 10.1.13.0 / 24 scope is active on the DHCP on windows server with below settings:
      f8a8ef6a-1dad-4e9e-8a33-f0743bd07fa4-image.png

    Still getting stuck on the "Obtaining IP address" stage" even after rebooting my smartphone.

    Im beginning to think my DHCP server on the windows server is broken some how....I may consider/try re-installing the DHCP role..



  • @techgeek055

    My apologies, one thing I made an assumption that you knew about and forgot to mention is, disabling those services on the ASUS is the manual way of turning your wireless router into an AP. After that, you have to move the patch cord that's currently plugged into the WAN port and move it to one of your LAN ports. ASUS on the other hand, has an AP mode, which disables the previously mentioned services automatically, however, you still have to move the patch cable into one of the LAN ports on the ASUS. Was this done?

    Also, notice that your LAN net/any rule does has no hits. The rules are parsed top-down so all of your traffic is being matched on the 2nd rule and being routed down the VPN, which I'm sure is also contributing to the issue. I would need to see the routing table, but you may need to add a LAN net/DEVICES_LAN rule that routes traffic using the routing table and place it above that 2nd rule. However, we need to make sure that dhcp traffic is making to PFsense first... hence moving the physical connections on the ASUS.



  • No worries, I appreciate your help to the fullest!

    My ASUS router was already plugged into one of the LAN ports. I have now switched the router to AP mode.

    I completely removed and re-installed my dhcp server but that didn't seem to fix anything :D

    I made new LAN rule like this:

    50f1d9f9-cde3-4a8e-9e53-5fd0e25a9b67-image.png



  • @techgeek055 Swap rules 2 and 3.



  • @marvosa My bad.

    I have it like this now but smartphone still stuck trying to obtain in ip address:

    b731f12c-b486-4e62-be33-77f5739e2b1f-image.png

    I noticed by DHCP server has the IP helper service not started. I don't think that is causing this issue by i'll try re-enabling it..

    6d66d435-fcf2-4578-aa26-d2cb31870612-image.png



  • @marvosa doesn't look like starting the IP helper fixed it either :/

    My DHCP server is connected to a switch, and the switch is connected to the 10.1.10.0 LAN interface on pfsense, don't think that makes a difference though..



  • Do you have a laptop you can troubleshoot with? I think we need a little more insight as to what's happening on the client.

    Also, can you post a network map so we have a little more insight as to your network design? Since I haven't heard anything about VLANs, my assumption is you have 3 NIC's in your PFsense box... 1 for WAN, 2 for LAN... and two different switches... one connected to each LAN interface. That's my assumption, but I'd like to get a more accurate picture from you.

    For grins and giggles, disable the windows firewall on your server and try a few clients. If things miraculously start working, you'll have to add some exceptions in the firewall or leave it disabled.



  • @techgeek055 After some research, it looks like what we need to do is go back into DHCP relay, hold ctrl and highlight the LAN interface so both LAN and DEVICES_LAN are highlighted and hit save.



  • @marvosa Sorry for the delay, had to go bed.

    I do have a laptop I can use.

    I can draw a network design shortly! I will post it here as soon as it's done. No VLANs are setup, I was trying to get VLANS up previously but failed (similar issues/ no dhcp ip) so I ditched VLANs for now.

    I disabled the firewall on the dhcp server yesterday to no success :( I didn't try getting an IP from a laptop though, just my smart phone. I can try that today.

    Okay, I will try highlighting both LAN interfaces in DHCP relay!


  • Netgate Administrator

    Been a while since I used dhcp relay but if that traffic is not passed by hidden system rules it will not be passed by the rules you have as the devices are not yet in 'LANnet' and are broadcasting. Check the firewall logs for blocked dhcp traffic when you try to obtain an IP.

    Steve



  • @marvosa I hope this is clear for y'all

    c4f97211-c84b-4792-8fdd-64a8595b34ce-image.png

    I also enabled DHCP relay on both LAN interfaces but no IP from wifi still.



  • @stephenw10 Hi Steve,

    On pfSense DHCP logs, I see "3 bad IP checksums seen in 5 packets"

    Jan 16 06:57:11 dhcrelay Listening on BPF/ix2/a0:36:9f:1a:4c:6c
    Jan 16 06:57:11 dhcrelay Sending on BPF/ix2/a0:36:9f:1a:4c:6c
    Jan 16 06:57:11 dhcrelay Listening on BPF/ix3/a0:36:9f:1a:4c:6e
    Jan 16 06:57:11 dhcrelay Sending on BPF/ix3/a0:36:9f:1a:4c:6e
    Jan 16 06:57:11 dhcrelay Sending on Socket/fallback
    Jan 16 06:58:13 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 06:58:51 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 06:59:30 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 07:00:09 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 07:00:46 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 07:01:24 dhcrelay 3 bad IP checksums seen in 5 packets
    Jan 16 07:27:07 dhcrelay 3 bad IP checksums seen in 5 packets

    I also tried connecting a laptop directly to the asus router and dhcp logs give same message as above.

    Not sure what that means! I'll try googling it.


  • Netgate Administrator

    Try disabling 'Hardware Checksum Offloading' in System > Advanced > Networking. You may need to reboot to apply that change.

    Nothing showing as blocked in the firewall log though?

    Steve



  • @stephenw10 Okay, i'll try that right now!

    Sorry, in my firewall logs I see:

    8a8c736c-3a52-4efb-a0ae-486f83d5a8c7-image.png


  • Netgate Administrator

    You might have to filter that for only udp destination port 67 on the devices LAN. That only shows 12s of logs so you could easily miss connection attempts otherwise.

    Steve



  • @stephenw10 I disabled "Hardware Checksum Offloading" and DHCP logs are no longer getting the "3 bad IP checksums seen in 5 packets" error. But no IP from DHCP still.



  • @stephenw10 I'm getting "No logs to display" or did I do the filter wrong? Not sure if/what I need to put in source and destination IP.

    4ba7457d-7cd1-4ca1-a52f-2992a9e6227b-image.png


  • Netgate Administrator

    That looks correct, you should see blocked dhcp traffic there if was being blocked.

    Check for port 67 states when the client is trying to connect in the state table. In Diag > States filter by :67, you will have to refresh that to see them.

    Steve



  • Okay!

    Please see below for Diag > States filtered by :67

    36bd3b27-b4a4-4fc3-b831-4a6cc27285f9-image.png

    10.1.10.8 is my DHCP server


  • Netgate Administrator

    Hmm, yet no state on DEVICES_LAN.... the client was definitely trying to connect at that point?



  • @stephenw10 Yeet! Sorry, I mis-understood.

    Nothing was trying to connect at that moment I did the filter.

    I re-did it when my phone was trying to connect to wifi:

    155616e0-6f2a-43d2-988f-59b3cdec7413-image.png



  • @stephenw10 Here is one of my laptop, directly connected to the asus router with ethernet:

    c2972635-cf7a-4202-be3c-c73d1ba976ba-image.png


  • Netgate Administrator

    Hmm, that looks correct in terms of open states. But nothing going back to the client. Anything logged on the server?

    Might have to pcap on LAN filtered by the server IP to see if the requests are actually going to it.

    Steve



  • :(

    Here is packet capture that I did on pfSense when my phone was trying to connect to wifi:

    bdef9930-e384-400f-9bef-07f2832ae5cb-image.png

    09:29:42.457022 IP (tos 0x0, ttl 64, id 43572, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0x14fd712, secs 5, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:29:47.474145 IP (tos 0x0, ttl 64, id 11403, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0x14fd712, secs 10, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:29:47.635729 IP (tos 0x0, ttl 128, id 5587, offset 0, flags [none], proto UDP (17), length 82)
    10.1.10.8.58751 > 10.1.10.1.53: [udp sum ok] 55300+ [1au] A? eus-oi-ods-b.cloudapp.net. ar: . OPT UDPsize=4000 (54)
    09:29:47.650479 IP (tos 0x0, ttl 64, id 4119, offset 0, flags [none], proto UDP (17), length 98)
    10.1.10.1.53 > 10.1.10.8.58751: [udp sum ok] 55300 q: A? eus-oi-ods-b.cloudapp.net. 1/0/1 eus-oi-ods-b.cloudapp.net. A 40.79.154.85 ar: . OPT UDPsize=4096 (70)
    09:29:55.696010 IP (tos 0x0, ttl 64, id 26722, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0x14fd712, secs 18, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:30:12.750834 IP (tos 0x0, ttl 64, id 41397, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0x14fd712, secs 35, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:30:16.207646 IP (tos 0x0, ttl 64, id 38410, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0xa26f2a53, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:30:21.213556 IP (tos 0x0, ttl 64, id 60954, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0xa26f2a53, secs 5, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:30:25.183289 IP (tos 0x0, ttl 64, id 56349, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0xa26f2a53, secs 8, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2
    09:30:32.659175 IP (tos 0x0, ttl 64, id 38685, offset 0, flags [none], proto UDP (17), length 328)
    10.1.10.1.67 > 10.1.10.8.67: [udp sum ok] BOOTP/DHCP, Request from fe:3d:88:34:f1:48, length 300, hops 1, xid 0xa26f2a53, secs 16, Flags [none] (0x0000)
    Gateway-IP 10.1.13.1
    Client-Ethernet-Address fe:3d:88:34:f1:48
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    Client-ID Option 61, length 7: ether fe:3d:88:34:f1:48
    MSZ Option 57, length 2: 1500
    Vendor-Class Option 60, length 15: "android-dhcp-10"
    Parameter-Request Option 55, length 10:
    Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
    MTU, BR, Lease-Time, RN
    RB, Vendor-Option
    Agent-Information Option 82, length 5:
    Circuit-ID SubOption 1, length 3: ix2


  • Netgate Administrator

    Ok so no replies from the DHCP server back to the client. Either the server is not able to respond or it's refusing to respond.

    Steve



  • @stephenw10 Interesting, not sure what the issue is but I guess i'll have to do some digging..

    Thank you for your help! I will update when/if I find anything.



  • @techgeek055 Wow, I found the issue. I removed my default gateway on the NIC interface on my Windows DHCP server a while back. I did this so that it had no internet connection for security.

    Once I added the default gateway back to point to my pfsense box , I am getting IP from DHCP on my other subnet.

    Do you know what would be the "proper" way of taking the server off the internet while not breaking DHCP for other subnets?


  • Netgate Administrator

    Ah, nice. So it had no route back to 10.1.13.0/24.

    You should be able to just add that as a permanent route on the Windows server rather than adding a default route.
    So add 10.1.13.0/24 via 10.1.10.1.
    It will still have no default route so no way to reach external IPs.

    Or you could just block that traffic in pfSense.

    Steve


Log in to reply