/22 network Issue

bha.rarieta

We have the following:

10.8.12.0/22 setup along with DHCP enabled for the range of 10.8.12.2 - 10.8.15.254 gateway of 10.8.12.1 for all clients assigned an address within that range.

We are having an issue where any clients receiving an address above the 10.8.12.x range (i.e. 10.8.13.x - 10.8.15.x) are not able to communicate with anything inside that range or outside. All the clients receiving a 10.8.12.x address work no problem.

I'm not quite sure where to look from here.

johnpoz

@bha-rarieta well something on 10.8.12/22 trying to talk to anything else on the 10.8.12/22 network wouldn't even talk to pfsense.. So if say 10.8.12.99 can not talk to 10.8.12.100 then you got something going on with the clients or their connection.

Can the devices ping pfsense IP on this /22 network?

What firewall rules do you have on this interface? Do you have any rules in floating tab?

bha.rarieta

@johnpoz

All clients on the 10.8.12.1 - 10.8.12.254 have no issues. It's when clients assigned with any of the higher side of the /22 ( 10.8.13.1 - 10.8.13.254, 10.8.14.1 - 10.8.14.254 and 10.8.15.1 - 10.8.15.254 ) are completely isolated. The weird thing is that they are assigned an address, but that's it. That's pretty confusing to me if they are assigned an IP from pfSense.

There are no rules in the floating tab.

I do have Manual outbound NAT rules set, but set that after all my subnets were setup and switched from auto to manual.

johnpoz

@bha-rarieta you changed to this /22 from say a /24 before - or have you always used /22, possible clients didn't get the new mask from dhcp? And are still on say 10.8.12.0/24 ?

As to the manual outbound nat - why would you not just use auto, and if you need some special sort of outbound nats then just use hybrid.. Other than stupid vpn guides telling you do.. I can't think of any sort of reason why I would use full manual outbound nat.

But again.. pfsense could be turned off and would have zero effect of devices on the same network from talking to each other..

You don't have a bridge setup on pfsense do you? Where clients on the same network could be on different sides of the bridge?

If you have client 10.8.12.x/22 that can not talk to 10.8.13.y/22 its not a pfsense thing.

bha.rarieta

@johnpoz I don't remember if I had changed it from a /24 to a /22 when I originally setup the network. I want to say "I don't think so".

The clients that pickup IP addresses in the 10.8.13.x and above get the correct subnet mask and they are assigned addresses from pfSense's DHCP server, so to me that's confusing why nothing else is working for them. I want to keep pointing my finger at something at pfSense. I'm going to do a rebuild on a machine and test before I backup the config and rebuild that FW.

I have other locations setup "Cookie Cutter" only with the 2nd octet different (10.5.0.0/20, 10.6.0.0/20 ... etc..) The last range is 10.8.12.1 - 10.8.15.254 (10.8.12.0/22)

I use manual outbound nat for our VOIP setup and want static port mapping. Normally I would use auto.