2 LANs: ping from one to the other results in "Network is unreachable"

gld

I have 2 LANs on two different physical interfaces and I cannot ping from one to the other. What did I miss?

I am working on a Netgate 4200.

I am using the following 3 interfaces (all enabled):
PORT1WAN DHCP, DHCP6, Block private, Block bogon
PORT2LAN IPv4 static 172.27.1.1/24, no upstream gateway
PORT3LAN IPv4 static 172.27.2.1/24, no upstream gateway

I have DHCP servers running on both networks.

Firewall / NAT / Outbound: Mode Automatic outbound NAT rule generation. No mappings, no automatic rules.

Firewall / Rules / PORT2LAN
...anti lockout rule...
Pass / IPv4 / Any / Any / Any
Pass / IPv4 / Any / PORT2LAN subnets / Any
Pass / IPv6 / Any / PORT2LAN subnets / Any
Pass / IPv4 / Any / Any / Any
Pass / IPv6 / Any / Any / Any

Firewall / Rules / PORT3LAN
Pass / IPv4+IPv6 / Any / PORT3LAN subnets / Any
Pass / IPv4 / Any / Any / Any
Pass / IPv6 / Any / Any / Any

Computer A is connected to PORT2 and has a 172.27.1.X address from DHCP
Computer B is connected to PORT3 and has a 172.27.2.X address from DHCP
Both are running Debian.

Diagnostics / Ping:
Source address:
Default: 0.0% packet loss to Computer A
Default: 0.0% packet loss to Computer B
PORT2LAN: 0.0% packet loss to Computer A
PORT2LAN: 100& packet loss to Computer B
PORT3LAN: 100.0% packet loss to Computer A
PORT3LAN: 0.0% packet loss to Computer B

Computer A can ping 172.27.1.1, but not 172.27.2.1 or computer B.
Computer B can ping 172.27.2.1, but not 172.27.1.1 or computer A
The error is: "ping: connect: Network is unreachable".

gld

Two other tidbits:

I have VLANs also on physical port of PORT3LAN

I have disabled all of the rules except the anti lockout rule and this one:
Pass / IPv4 / any / any / any

johnpoz

@gld Network is unreachable

Are these linux boxes your using for computer a and b? That error points to no gateway set.

if the client was actually sending the traffic to pfsense the error would just be a timeout if pfsense was sending it on and the box wasn't answering. That you can't ping either box from pfsense ip in the other network, also points to the client not knowing to send the answer back to pfsense (its gateway)

There is another thread going on where the user says client wasn't getting gateway from dhcp.

From that error I assume linux, what does the clients route table show?

user@UC:~$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.2.253   0.0.0.0         UG        0 0          0 ens3
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 ens3

gld

@johnpoz Yes, both computers are linux.

I get, on computer A (PORT2LAN):

root@igor:~# netstat -rn
Kernel IP routing table
Destination    Gateway         Genmask         Flags   MSS Window  irtt Iface
172.27.1.0     0.0.0.0         255.255.255.0   U         0 0          0 ens3

I get a similar result on computer B (PORT3LAN) except with the destination being 172.27.2.0.

When I plug either computer into my live home network, netstat produces a result similar to yours.

FWIW, some addition info:

My DHCP configuration is:
ISC DHCP
Enabled
Custom Option 138 IP address 172.27.2.11

At one point I had switched to Kea DHCP, but then discovered it does not support custom options, which I will need for my access controller and access points.

The Netgate 4200 is running 24.03. The first iteration of setting it up a few days ago WAN was connected and working and I performed a system update. At the moment WAN is not connected,

johnpoz

@gld yeah the other user had switched to kea as well, but then switched back.. But seems the leaving blank as default and pfsense handing out interface as gateway wasn't working after this.

Try manually putting in the IP of pfsense interface in the dhcp server settings

because without a gateway - no your devices are not going anywhere other than their local network.

gld

@johnpoz Resolved? But a bug?

On my system, under

Services / DHCP Server / <interface> : Other DHCP Options : Gateway

A blank value (the default) results in NO gateway assignment.
I must enter the IP address of the firewall interface for the DHCP clients to get a gateway assignment. If I do, DHCP clients get a gateway assignment and the issues of the original post are resolved.

gld

@johnpoz I didn't see your reply while composing mine.

Thanks for your help. Do I need to look into filing a bug report?

johnpoz

@gld yeah normally pfsense by default will hand out the interface the dhcp server is running on as the gateway, and you can leave it blank - you should kind of see the IP of the interface in the settings just greyed out.. But it seems, that if you switch to kea, and then back this fails..

Yeah I would say its some sort of bug with moving to kea and then back? But I had moved to kea when it first came out just to see and it was working. But that was back with 23.09, maybe something in 24.03 is flaky... If still doing it when 24.11 drops I will check and see and if not already there put in a bug report.

But your the 2nd person I have seen with same sort of issue, no gateway and had switch to kea and then back.