Static IP issues
-
After the help I got from here a while ago and having my network cabling ran, I've managed to get my basic system set up but I'm having some trouble with static IP's. I'm sure its me being an idiot but I could do with some help.
I have my pfSense router connected to 3 unifi switches and 3 unifi access points with the default network (LAN) intended to be my management network and 3 VLANS set up for Home, Guest and IOT. Currently it only has a basic set up but as I get each kink worked out I'll hopefully tweak it and make it better, including better firewall rules.
My current issue is with static IP's.
Ive tried multiple devices connecting to each of the networks (LAN and VLAN) and each device can successfully obtain an IP from the DHCP pool and can connect to the internet. Further to this, I can then view the DHCP leases and set a static IP on the router which Ive done for some IOT devices where you can't manually set an IP and on my work issued devices where I cant mess around with the settings.
The problem is for my personal devices (iPhone, Laptop on win 7 and Desktop on win10) where I can set a static IP on the client side. Every time I do this I lose internet connectivity. I suspect its me not putting in the correct options for gateway and DNS but I could be wrong -
@Polar_Bear88 said in Static IP issues:
The problem is ofr my personal devices (iPhonem, Laptop on win 7 and Desktop on win10) where I can set a static IP on the client side. Everytime I do this I lose internet connectivity. I suspect its me not putting in the correct options for gateway and DNS but I could be wrong
With static config, you have to consider several variables
- Address & subnet mask
- Default route
- DNS server.
Can you ping other devices on the network? If not, check the configured address.
Can you ping something like 8.8.8.8? If not, check the default route
Can you ping via host name, such as google.com? If not, check the DNS address.Another question, if you want a static address, why not use static mapped DHCP? This will solve your problems, assuming DHCP is working properly.
-
I've given up for the night as Ive been at it for 8 hours but will do these tests when I next have time to play with it.
IP address is correct. Its selected from within the correct VLAN and isn't being used by any other device.
Subnet mask is correct. All VLAN's are /24 so subnet mask is 255.255.255.0.When forced to enter a DNS I was using 8.8.8.8 and 8.8.4.4.
If Im just wanting to use my pfSense router as the DNS server, what IP address should I be using? Also what gateway address should I be using, Ive tried everything I can think of and leaving it blank
-
@Polar_Bear88 said in Static IP issues:
If Im just wanting to use my pfSense router as the DNS server, what IP address should I be using?
The interface/network IP for that interface/VLAN. If you have 192.168.50.1 as your pfSense LAN and 172.16.53.1 for the VLAN and the IP address that needs to call the DNS is on 172.16.53.x it will be 172.16.53.1
-
@Polar_Bear88 said in Static IP issues:
If Im just wanting to use my pfSense router as the DNS server, what IP address should I be using? Also what gateway address should I be using, Ive tried everything I can think of and leaving it blank
If you don't know those, it's no wonder you're struggling. Those would be whatever address is on that VLAN on pfSense. This is why you're probably better off with static mapped DHCP. DHCP will provide those addresses automagically.
-
@rcoleman-netgate That's what I thought but when it didn't work it made me wonder if I was mistaken and it should of been the address on the LAN instead of the VLAN.
Its also entirely possible that after s many hours of looking at the screen I was mistyping etc. In a few days when I have a chance to play with it again, Ill test and see what happens with the following:
Client device on VLAN Guest
Static IP 10.100.4.10
Subnet mask 255.255.255.0
DNS 10.100.4.1
Gateway 10.100.4.1 -
@Polar_Bear88 OK, good, now what are the rules on the Firewall for VLAN Guest?
-
@JKnott If I don't make things gradually harder on myself I wont learn, that's why I find some of the youtube videos less helpful than others. The ones that tell you what to do but not why you're ding it is great for getting it up and running but not for learning which helps you customize it to your own needs later on.
-
@rcoleman-netgate at the minute I just have 1 basic rule on each of my vlans to allow connections on any protocol to any destination.
I figured I was better using this until I have everything up and running so I then have a good basis to work from when I change a rule and something breaks
-
@Polar_Bear88 That is.
Now I'd ping from the guest network to the Guest Interface IP (10.100.4.1) and see if it responds. If it doesn't then start a packet capture on that interface looking for the traffic (filter to icmp only so you can limit the amount of garbage collected) and if it is coming in and not going back out it's something on your system. If it is not coming in at all then it is something on your network.
-
@rcoleman-netgate Thank you. Ill report back once Ive done all the above steps
-
Here are my guest WiFi/VLAN rules. Guests can only access the Internet and ping the interface.
-
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
If you are rejecting all RFC1918 requests then you cannot have an RFC1918 be the DNS or you have to give it a rule to pass to (this firewall) DNS traffic.
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@rcoleman-netgate said in Static IP issues:
@JKnott And Guests are always going to be on Static IPs?
No, guests are DHCP on IPv4 and SLAAC on IPv6.
What were the results of the ping?
????
As I mentioned, guests can ping the VLAN interface and nothing else on my network. Pings to the Internet are not blocked.
-
@rcoleman-netgate said in Static IP issues:
If you are rejecting all RFC1918 requests then you cannot have an RFC1918 be the DNS or you have to give it a rule to pass to (this firewall) DNS traffic.
I use DHCP to send guests to Google's DNS on IPv4, not mine. I also use RDNSS to provide Googles IPv6 DNS addresses. While guests have full access to the Internet, they can't do anything on mine, other than ping the guest interface.
-
@JKnott said in Static IP issues:
????
As I mentioned, guests can ping the VLAN interface and nothing else on my network. Pings to the Internet are not blocked.
Confused user posts.
-
Finally got a chance to play around a little more and its working as it should so all I can assume is that Im an idiot and after looking at the screen so long the other day I was misstyping and couldnt see it.
4 devices all set with their static IP's on the Home VLAN.
They can ping between each other, can ping 8.8.8.8 and can ping www.google.comNext time I get a chance to play around, I'll start trying t set up some better (more secure) firewall rules and other general security tweaks.
