No proper DHCP on LAN without WAN?
-
Changed to 2.5.2, I find it to be pretty okay, and working well. Except, I lost some time after the fresh install by DHCP on LAN not offering proper parameters. That is, the clients get the IP LAN address, but can't even ping, nmap says 'all closed' and netstat -rn shows all gateways on 0.0.0.0. Tore out some hair, until I found that once WAN is configured, everything works smoothly. After a manual renewal of the DHCP lease.
Is this done on purpose? To me, it'd be a bad feature, because I get an IP for a client, but can't use the webGUI nor ssh to find out about the state of affairs on the box, especially not being able to help with the WAN connection.
As of now, 2.5.2, fresh install, 2 NICs.Thanks for any insight,
Uwe
-
-
Sure, I understand your concerns. But that would rather have been a video clip, at install:
WAN: dhcp4
LAN: 192.168.1.200/24
Range: 192.168.1.101 - 192.168.1.199
DHCP activated
no v6.
Display: "webconfig blabla under http:192.168.1.200"
Client (kubuntu) WiFi deactivated, and reactivated, shows gateway 192.168.1.200, IP 192.168.1.101
But netstat shows no gateway, ifconfig shows 192.168.1.101, nmap shows up, but all ports closed, ping shows no reply.Made me almost crazy, repeated everything, including install. Same.
Then I bothered on the local interface of the pfsense box to bring up WAN (dhcp4), and then at disconnect-reconnect of the client everything worked.I have so far not continued with the exploration, like disconnecting WAN, subsequently dis- and reconnecting the client, or whatnot.
It seemed more appropriate to ask, if this was to be expected or even intentional. I for one couldn't imagine any security consideration; but I can't think of everything myself! ;-)So please find the DHCP as screenshot, unaltered settings since that install.
-
So here's the screenshot: lease obtained from that box. By now with IP allocated to MAC on that box, therefore the .91. This shows from where the lease is obtained (release and renew before this screenshot). The rest comes okay in the WiFi-applet; visible to the right. Including NS and gateway. Alas, that same gateway is closed (see center part of screenshot).
That drove me almost crazy. So I made another effort on another, though similar box, to excluse individual hardware failure. Slightly different, and yet remarkable: With some fiddling with no WAN configuration, I could get a proper DHCP release this time, ping, nmap, netstat being totally correct. Of course, including proper ping to the gateway (likewise 192.168.1.200 - that's just been my standard gateway for the last 20+ years). No WAN, therefore no ping to 8.8.8.8. Obvious. Then I just configured the WAN interface (connecting using DHCP4).
What would I expect? To be able to ping 8.8.8.8. No? No! - And now the crazy part also happening: No more ping to the gateway, 192.168.1.200!! By bringing up the WAN interface. So I took down the client (dhcp release, 'disconnect') and dhcp renew. Same parameters in the applet, of course, but then I could ping 192.168.1.200 and 8.8.8.8. Of course, same parameters shown on the applet.
Maybe that's only me; but I'd lost a bet, that when I can ping a gateway box not connected to WAN, I'd be able to ping that same box once it is configured with a WAN address?
Here for one reason or another, this seems not to be the case.
Different, on this different box, but the same: WAN configuration changes the connectivity to the gateway.
Next you'll want to see my firewall rules. Nothing done yet here; will happen later only. Never the less, here is the only configuration; the one auto-generated.WAN 127.0.0.0/8 ::1/128 192.168.1.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 ::1/128 192.168.1.0/24 * * * WAN address * Auto created rule -
Nothing new on this topic? (Maybe you consider me to be a troll? I'm not ...:)
Tried that box on my lab table. That is, connected only to power, monitor and keyboard. Added another (wired) interface, and a client. Configured that OPT1, inclusive IP and DHCP. Used some IP that I dislike and never use to prevent stuck situations. That is 192.168.2.1/24 and the DHCP range to 192.168.2.101 - 199.
Client (lenovo ThinkPad) connected through cable and obtained an IP: 192.168.2.101 (what else!?). DNS was also given as 192.168..2.1.And, again, without WAN connection no ping, no nmap (up, all closed) , no proper netstat -rn on 192.168.2.1:
169.254.0.0 0.0.0.0 255.255.0.0 0 0 0 192.168.2.0 0.0.0.0 255.255.255.0 0 0 0
Looking forward to some explanation, if only for sheer curiosity,
Uwe
-
The local subnet 192.168.1.x doesn't need a gateway to talk to others in that same subnet, hence the 0.0.0.0 gateway.
You mention wireless, is the computer wired also? I've seen that, and the computer can sometimes end up talking to the wrong network.
Can't say I've ever tried to configure a pfSense without WAN as usually the first thing is to upgrade it. I would definitely expect to talk to the LAN IP though.
-
Thanks a bunch - at least to make me feel that I'm not talking to a wall. ;-)
(Having been in networking for >20 years as sysadmin, I am well aware that) There is no gateway necessary. That's exactly what a gateway is for: connecting to other networks. (Just to answer your question:) In this case it was only one single wired interface: said one.
The gateway actually is added (netstat -rn), once WAN goes up. But then, of course, my users (and I myself) will have to renew the lease, because in that first lease no gateway was dished out. I consider this a bore, but a minor one.
What bugs me much more, and I had that some days ago, sitting somewhere in the LAN, without connectivity to the gateway, I can't resolve any WAN connectivity problem. I needed to go to that box, plug a monitor, plug a keyboard, in order to see locally on that pfsense-box what was wrong with the WAN connection.It maybe only me, but I'd expect a DHCP to dish out the gateway address (that it is aware of, itself!) at all situations; with or without an IP-configured WAN. Plus, permit a connection webconfigurator / ssh.
-
@digard said in No proper DHCP on LAN without WAN?:
without an IP-configured WAN. Plus, permit a connection webconfigurator / ssh.
Not exactly sure what you were doing - but this for sure works..
Seems like you had pfsense with only 1 interface configured.. Which pfsense would do odd stuff with for sure. And if this interface was set to dhcp, not sure how you could of expect to connect to it at all without it having an IP..
But I have setup many a pfsense without a working wan... But the interface was configured, just no connection, and lan setup with static IP and dhcp running - handing out IP and connecting to it via web and ssh..
-
@johnpoz
Two interfaces.
One (WAN) set to dhcp4, up but not configured.
One (LAN) set to 192.168.1.200/24, DHCP activated; 192.168.1.101- 199.
Client connected through cable to LAN. Client obtains IP, (192.168.1.101; as to be expected), but cannot connect to 192.168.1.200.
I find it difficult to understand why this ought not to be working.
I trust you that your configuration works. Mine also does, once WAN has link status and is connected.
Tell me, why DHCP dishes out no gateway as long as it is without WAN connection (see above, but adds the usual
0.0.0.0 192.168.1.200 0.0.0.0 UG 0 0 0 wlp6s0
only when WAN is connected as third line to the two as above.
You might want to think about, why a box with one single configured interface is supposed to do odd stuff with. I have been working with all sorts of firewalls, gateways, OSes. So far, I didn't encounter a single one that would 'sure do odd stuff' with one interface configured?This is 2.5.2. And I could do a quite boring video taping a fresh install from USB and initial configuration and I take bets that this can be reproduced (I actually did half a dozen of times; from scratch!).
I do NOT say this will happen at any other user or hardware. But here it does, and I am keen to know, why. -
why DHCP dishes out no gateway as long as it is without WAN connection
Never seen such a thing.. Pfsense out of the box, will hand out its own IP on the interface your running dhcp on.. Unless you have set it up otherwise..
"The default is to use the IP on this interface of the firewall as the gateway. Specify an alternate gateway here if this is not the correct gateway for the network. Type "none" for no gateway assignment."
As to why it can do odd stuff with only 1 interface configured - is puts the default antilock out on this interface so you can get to it. How can it hand out dhcp on an interface set for dhcp, etc. So without full details of what you did in what order.. I am just saying that bringing up pfsense with only 1 interface, and then enabling another interface can cause some issues, as it flips the antilock rules and where your actually connected from..
Also - pfsense without dns, the web interface can be slow to respond - maybe took this as not working?
All I can say is in the prob 100's of pfsense I have setup - have never seen what your saying is happening.. If there is a lan, and you set its IP and turn on dhcp, it will hand out IPs with the gateway set as its IP on that interface. Unless you edit dhcp to hand out something else.