pFsense cannot ping devices directly connected

zaphanathpaneah · Feb 27, 2024, 8:39 PM

Hello fellow networking enthusiast. I have a NEGATE 4100 and am using 5 out of the 6 ports. I recently say a message pop up that ISC DHCP is (Deprecated) and will nolonger be included in future updates. I thus was recommended to move to Kea DNS. So I did. Now I cannot ping several intefaces. The problem seem to be related to a bug "Bug #8120" reported on "https://redmine.pfsense.org/issues/8120". Not sure if this is moderated by Netgate or not. Anyway here is the problem. I set an interface to to 192.168.19.1 and another device connected to a port to 192.168.19.2. 32bit mask applied to both. I tried 24 to be safe. pFsense will not see the device. I moved to another port same difference. This cable previously worked. pFsense also sees the the device because it has a link light on. I tried DHCP or manual assignments, still no diceI know...I know...just set it to static and "forget about it". Reasonable option sure and so I did, and.... here goes the problem. static set and no ping, no...nothing. I cannot see my device. I should mention this is a desktop directly connected to the port via a "New" cat 6 cable that is 6 feet away. firewall rules set to wide open all ports. when i try to ping yahoo.com from pFsense using the 192.168.19.0 network, it works. just cant ping the other way down to the desktop. tried everything except hitting it with a hammer. Any suggestions?

johnpoz · Feb 27, 2024, 8:17 PM

@zaphanathpaneah said in pFsense cannot ping devices directly connected:

32bit mask applied to both.

Well that is not right... You would want a mask that includes both IPs your going to put on the same network. Say a /30 or /29 or just a simple to use /24

And its not "recommended" to move to kea - they are just letting you know that at some point, in the FUTURE isc will most likely be removed.. KEA is currently "PREVIEW" if you do pretty much anything other just hand out IPs your not going to want to move to kea at this time.. Read the blog and release notes on what features are not yet available in kea.

Dhcp will not even run or be available even if you have a /32 on pfsense interface - because there are no IPs to hand out via dhcp.

zaphanathpaneah · Feb 27, 2024, 8:22 PM

@johnpoz Thanks for the update. I left it at 32 since that was the default in pFsense. I used a subnet calculator and I only need 2 host and a network #. thats it. Anyway it is currently set to 24bit mask to be safe and still does not work. I moved back and saw no difference. Not sure its a DHCP problem to be honest. There is no reason for pFsense to require a static ip for DHCP. this is a bug that is crippling me at the moment.

johnpoz · Feb 27, 2024, 8:26 PM

@zaphanathpaneah What do you mean no reasoon to have a static to run a dhcp server... Yes a dhcp server requires to have static IP.. You don't run a dhcp client, ie get some IP from dhcp server - so it then can also be a dhcp server..

Setup your IP, give it a mask of 24.. Enable your dhcp server.. Connect your client - if it doesn't get an IP, then you have a connectivity problem.

zaphanathpaneah · Feb 27, 2024, 8:29 PM

@johnpoz Hi yes...I am sorry, I spoke incorrectly. The interface needs a static ip to exist on the network. but that does not explain why i cannot ping, however......i will swap out the cable and retest. process of elimination.

johnpoz · Feb 27, 2024, 8:30 PM

@zaphanathpaneah if your 2 devices both had /32 then no they wouldn't be able to ping each other..

zaphanathpaneah · Feb 27, 2024, 9:17 PM

@johnpoz Thank you. I did set to 24 bit mask. the cable works because i moved it to my other network via a switch and it works. i can ping out just fine. so the cable works, the interface works. pFsense sees it as up and it negotiates to 2.5gb. so it see power on the line and sees my device but just cant ping. i moved back to ICS DHCP. still....no dice.

Gertjan · Mar 1, 2024, 4:42 PM

@zaphanathpaneah

A 4100 ? I got one :

These are the defaults that work 'out of the box' :

The DHCP LAN (192.168.1.0/24) server settings :

These were the defaults.
These work.
If it doesn't : easy : go back the defaults ^^

zaphanathpaneah · Mar 1, 2024, 4:42 PM

@Gertjan Thank you. I got it working by running the setup wizard again. however I still think there is an issue but your suggestions do actually look logical and should work. Can you show a screen capture of rules for one of your ports (internal). I am trying to see if the issue is with my rules. They are simple and I want to be more explicit int heir function. for example I want to prevent traffic from one subnet moving to another. I have 4.

johnpoz · Mar 1, 2024, 4:48 PM

@zaphanathpaneah said in pFsense cannot ping devices directly connected:

for example I want to prevent traffic from one subnet moving to another. I have 4.

Here is a simple example of locked down rules.

Devices on this network can not talk to any of my other networks, because all of my other networks are rfc1918 space, and there is a rule that blocks that access.. While rules above it allow what I want.. Ping Pfsense IP, ask pfsense address on this network for dns, I also allow this network to talk to my pihole on another network for dns. I allow it to ask pfsense for ntp. But they can not talk to any other pfsense IP be it for dns or webgui or ssh or anything because of the specific this firewall reject rule. This also prevents them from access pfsense public wan IP for anything.. Because the last rule allows any any, that has not been block above it.

The rfc1918 alias contains all the rfc1918 space, so any of my current networks or future networks would all be in rfc1918 space... If I created a network outside rfc1918 space, then that any any rule at the bottom for internet access would end up allowing that traffic.