Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Added a 3rd LAN, but it can't connect to Internet. Others fine.

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 863 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      Zaniac
      last edited by

      I built a pfSense machine from an old computer (ASUS H81I-Plus with I5-4690) by adding a Intel 4 port NIC.
      igb0 -> WAN ~~> cable Modem
      igb1 -> LAN ~~> Switch {desktop computers and printer}
      igb2 -> (opt1) WIFI (lan) ~~> POE Switch ~~> Wifi AP {tablets and phones}
      igb3 -> (opt2) not used initially.

      This has worked well for the past year, but I finally decided to add a house MONITORing network for camera's, nvr, and solar tracking. I recently setup the camera's and nvr in a temporary test configuration on the WIFI network first, to get them working. Once working I moved them to the MONITOR network (resetting/rebooting the system).
      igb3 -> (opt2) MONITOR ~~> POE Switch ~~> Camera's and NVR

      Unfortunately, I could not access that network from my computer on the LAN (yes, I have a rule to make sure I could). I could see that IP addresses had been issued (Status -> DHCP Leases). I finally plugged directly into Switch and was able to see all the equipment. Pinging each address gave me good result except for the pfSense address (no response) and my computer showed NO INTERNET. Going back to the LAN network, I tried pinging the MONITOR network equipment, but got no response. Checking: Status -> Interfaces - showed all interfaces were UP. I was getting DHCP Leases, so I know that was correct. Services -> DNS Resolver - showed "all interfaces" for both inbound and outbound. Firewall -> Rules -> Monitor - shows a IPv4+6 Protocol ANY, Source ANY, Port ANY, Destination ANY, Port ANY, (yes, it is wide open for testing). I compared every other place I could find between my WIFI and MONITOR networks and couldn't find any differences. I swapped Ethernet cables with a known good one - but it made no difference. I swapped the Interface Assignments and ports between WIFI and MONITOR, rebooted, but again it made no difference (WIFI still connected to the Internet and MONITOR did not connect). I even turned off pfBlockerNG and reset the states, but it didn't help.

      I set the ANY rule for MONITOR to Log. The network is sending plenty of requests that are Passed. Checking the traffic graphs shows lots of opt2(in) traffic, but almost no opt2(out) traffic. Clearly, something is stopping it.

      At this point I am out of ideas. I am sure I missed something really simple.
      Any ideas would be appreciated.

      bingo600B 1 Reply Last reply Reply Quote 0
      • bingo600B Offline
        bingo600 @Zaniac
        last edited by bingo600

        @zaniac

        You should solve the "Can't" ping/access the "Monitor" pfSense interface , from a switch in the same vlan. First

        That issue is prob. causing the rest of the problems.

        Always debug as close to the problem as possible , and then work your way further out.

        Edit:
        If you really have a permit any any any on the Monitor lan , then something is weird ... šŸ˜Š

        What does ARP entries say on the pfSense , and on the PC used for test ??

        What switch is it , how is it set up or is it a "dumb" PoE switch ?

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        Z 1 Reply Last reply Reply Quote 0
        • Z Offline
          Zaniac @bingo600
          last edited by

          @bingo600
          I am not using any Vlan's. Each port on the NIC is set to one network and that is connected to a small Switch to connect to the various items on the given network. (This is just how my network grew). The switch on the MONITOR network is a UniFi Sw8-150w (all 8 ports are POE), but I am using it just like an unmanaged switch. I can't ping (using pfSense's ping tool) from any network to the equipment on the MONITOR network. However, I can use the NMap tool with either Any or MONITOR Interface to see all the hosts (equipment) are up. I am using Windows 10 command prompt to ping when I directly connected to the Switch on the MONITOR network. Then I can ping the equipment, but not back to the pfSense interface.

          As for being Weird, I very much agree. The connection from the equipment to pfSense seems to be fine, but the connection from pfSense to the equipment is very limited (just DHCP and NMap work). As for the ARP Table, only the pfSense address is listed there, but the DHCP Leases shows all the equipment.

          bingo600B 1 Reply Last reply Reply Quote 0
          • bingo600B Offline
            bingo600 @Zaniac
            last edited by bingo600

            @zaniac

            Have you checked the cable between the pfSense & the switch ?
            DHCP indicates that it should work , but ...

            Do you have another switch you can try , just for debug ...
            Ping from PC towards pfSense ...

            You don't have a wrong netmask like /32 on the IF do you ?

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @bingo600
              last edited by

              @bingo600 said in Added a 3rd LAN, but it can't connect to Internet. Others fine.:

              You don't have a wrong netmask like /32 on the IF do you ?

              If he did there would be no way dhcp server would be working on pfsense.

              What are the rules on your interface? This wouldn't stop pfsense from pinging. But if pfsense has no arp entry for the ip, then it wouldn't be able to ping.

              If your saying nmap is working - then there HAS to be a arp entry..

              From your device on this network.. Try and ping pfsense.. Then look in the arp table of that device.. You say windows 10, so then just do a arp -a from cmd line.. Do you see the mac for pfsense monitor interface IP.. Does it match up?

              Do the same thing from pfsense.. Try and ping, look in the arp table.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • Z Offline
                Zaniac
                last edited by

                @bingo600
                I tried two Ethernet cables between pfSense and Switch. Both work fine on a wifi router that I temp. installed onto the Switch.

                As for Ping, with PC on LAN, I can ping pfSense on the various interfaces (once I added rules). With PC on MONITOR, I can NOT ping pfSense on any interface. ANY Rule still in place on MONITOR network.

                I have /24 on the Interface for MONITOR.

                As for the Switch, I can swap, but not till tomorrow (when no one else is home).

                I did order a new NIC before I came up with a way to test current one. I will swap it "just because I can" when it arrives (tomorrow?).

                Thanks for the continued suggestions!

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @Zaniac
                  last edited by johnpoz

                  Show the rules.. I have seen more times than you would think, TCP rule and then why can I not ping..

                  Even if you have zero rules on the monitor interface you would still be able to see the mac in your arp table from client on the monitor network.

                  Or rule forcing traffic out a gateway, that can not get there.. Or floating rule, etc. Its just simpler to take the 10 seconds it takes to post rules.. So every one is sure exactly what they are..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  Z 1 Reply Last reply Reply Quote 0
                  • Z Offline
                    Zaniac @johnpoz
                    last edited by

                    @johnpoz
                    I got it working!!!

                    I was going to swap the Switch, but I realized that at no point had I depowered the current switch.

                    I decided to do that and go a bit further. I depowered all the equipment and unplugged it. Deleted the network and all associated entries. Followed by a reboot and verified it was entirely gone. Then I just set it up as a new network (new name and ip address). And Voila, it works.

                    Thanks again for your suggestions.
                    Much appreciated.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.