pfSense keeps blocking access from one subnet to another most of the time (but not always)

johnpoz

@throttlenerd said in pfSense keeps blocking access from one subnet to another most of the time (but not always):

seems like I can't get an arp table of my OPT1 NAS "when not working",

can you not use some device on this opt 1 you can access locally? you just need one device to look at the mac table - or just look on pfsense - what does it see? if you can not find the mac it can not ping anything

throttlenerd

can you not use some device on this opt 1 you can access locally? you just need one device to look at the mac table - or just look on pfsense - what does it see? if you can not find the mac it can not ping anything

Ehmmm I can't understand ) Yes I can unplug anything for the sake of the experiment -- do I need to plug OPT1 NAS directly to pfSense's OPT1 interface bypassing switches and stuff? It's totally doable but maybe I understood it wrong. Right now I'm on Wi-Fi (LAN) and can reach OPT1, like if when I plug into OPT1 by wire pfSense gives me some hours of LAN to OPT1 access. Then I will receive an email from may second NAS (on LAN) that it has lost connection to UPS (actually meaning it has lost connection to OPT1 NAS which also acts as a UPS server)

Regarding ARP table -- I can see every active device when arping from pfSense and only active OPT1 devices when arping from OPT1 NAS. Arping from LAN NAS results in a list of LAN devices. I think there's nothing strange here but I'm no expert )

johnpoz

@throttlenerd said in pfSense keeps blocking access from one subnet to another most of the time (but not always):

Regarding ARP table -

Well if pfsense can see the mac, and you ping it and it doesn't answer - that is not a pfsense problem..

@throttlenerd said in pfSense keeps blocking access from one subnet to another most of the time (but not always):

If I go to Diagnostics > Ping -- even pfSense can't ping both OPT1

So while your pinging some IP on your opt network from pfsense - do a sniff do you see pfsense send the ping, do you not get a response - then its not pfsense problem the thing your pining with the correct mac address in pfsense arp table doesn't answer..

throttlenerd

Dear @johnpoz, I waited until the problem is active again (OPT1 unpingable), went into pfSense > Diagnostics > ARP Table. I'm (laptop) on W-Fi (LAN). There was only OPT1 NAS turned on, arp saw its IP but says "(incomplete)" instead of mac address. And it sees its own IP (10.0.74.1) with mac address. Then I turned on TrueNAS box and iMac, both on OPT1. Refreshed the page -- it showed their IPs but no mac addresses -- (incomplete). Then I refreshed the page and new instances (TrueNAS and iMac) disappeared. Refreshed -- Syno NAS disappeared. Refreshed -- Syno NAS appeared with no mac address. Then Syno NAS disappeared again. Then I disconnected from WiFi, connected to OPT1 by wire -- of course arp table now shows every OPT1 device with their mac addresses. Then I unplugged the OPT1 cable, went on WiFi -- "access from LAN to OPT1 is granted for now" -- I can ping any device, pfSense's arp shows every device with macs ))

johnpoz

@throttlenerd and what exactly is opt1 connected too.. Your not going to be able to talk to anything with mac incomplete.. that normally means you arped for it, but got no mac back..

They never going to work if you don't see the mac, pfsense won't even send the traffic on or even send a ping from its own IP if there is no mac to send too.

is the switch pfsense opt1 interface going down, into sleep or something and not passing on traffic until you connect to it with another device.. What is the make and model of this switch? Do you have maybe green ethernet enabled on it? Or some kind of power saving feature?

throttlenerd

@johnpoz Hmmm, sleep mode! Sounds interesting! The switch is Cisco SG100D-05 V2 but it's unmanaged and there are no settings to be changed other than on/off. What if the NIC sleeps OPT1 interface down? But that would be stupid.. The NIC is HP NC360T.. I'll plug the NAS directly into OPT1 now and leave the switch on but unplugged from network to see if it changes its status LED in a day or so. Thank you!

johnpoz

@throttlenerd that switch is what EOS like 2015, and end of support back in 2020.. I would prob just pick up a new switch, I mean a 5 port gig unmanaged is like 20 bucks..

Shoot I see a tplink 5 port gig smart switch for 22 bucks..

throttlenerd

@johnpoz Just replaced Cisco with TP-Link of same kind (5-port gigabit unmanaged), let us see if it is the cause )) This TP is not new either but never had any issues with it ) Will let you know, thanks!!

throttlenerd

@johnpoz Ehmmm! So far so good! Seems like it was the Cisco switch, replaced with TP-Link and everything works fine for now ) Thank you man!!

johnpoz

@throttlenerd electronics don't last forever, and have seen switches - especially the cheap 20 variety fail in odd ways..