strange, can access device if dhcp allocated, but not when reserved

georgelza

@Gertjan said in strange, can access device if dhcp allocated, but not when reserved:

Then its a firewall issue on that device.

Rasbian does not come with configured firewall.

the only difference being able to ping device and/or ssh onto device is changing how the ip is assigned.

1 . dynamic dhcp out of pool
2. static assigned via dhcp reserve based on mac address.

johnpoz

@georgelza lets go over some basic information on how devices on the same network talk to each other.. This might clear up how pfsense has zero to do with devices on the same network, and why at makes no difference if IP is from pool or reservation..

device A 192.168.1.100/24
device B 192.168.1.200/24
device C 192.168.2.50/24

So device A wants to talk to B.. It says oh that .200 is on my /24 network - let me arp for what mac .200 has.. If it gets an answer from B that its mac is say abc..

then it sends its traffic to mac abc.. If it gets no answer then it can not send traffic - pfsense has zero to do with this.

If B wants to talk to A - same process.

If A wants to talk to C - oh that IP is not on my network.. I will send that traffic to my gateway (pfsense).. So if the mac of its gateway is not in its cache it will arp for its gateway IP, once it has the mac it will send the traffic for 192.168.2.50 to the mac of the gateway - lets say that is xyz - pfsense will see traffic to its mac (xyz) and say oh this traffic wants to go to 192.168.2.50 - i know how to get there and my firewall rules allow it.. And will send the traffic on.

In no scenario is pfsense involved in A talking to B - and A or B don't care how they got their ip - be it from some pool, or from some reservation or if the IP was set static on the device.. If the devices are on the same network pfsense is not involved, nor does it matter what IPs each device has as long as they are on the same network.. Is one of the clients getting the IP of some other device on your network? Ie a duplicate IP?

lets see the IPs your devices are getting when they can not talk to each other.. And lets see the arp table of these devices after you try and talk to the other device.

Here is me pinging device on my network.. See its mac, I can validate this is the mac of the device on that device.

If can not ping - does it get a mac? Is the mac correct? pfsense has nothing to do with this at all.

Here is mac of that 9.10 device

georgelza

@johnpoz said in strange, can access device if dhcp allocated, but not when reserved:

@georgelza lets go over some basic information on how devices on the same network talk to each other.. This might clear up how pfsense has zero to do with devices on the same network, and why at makes no difference if IP is from pool or reservation..

device A 192.168.1.100/24
device B 192.168.1.200/24
device C 192.168.2.50/24

So device A wants to talk to B.. It says oh that .200 is on my /24 network - let me arp for what mac .200 has.. If it gets an answer from B that its mac is say abc..

then it sends its traffic to mac abc.. If it gets no answer then it can not send traffic - pfsense has zero to do with this.

If B wants to talk to A - same process.

If A wants to talk to C - oh that IP is not on my network.. I will send that traffic to my gateway (pfsense).. So if the mac of its gateway is not in its cache it will arp for its gateway IP, once it has the mac it will send the traffic for 192.168.2.50 to the mac of the gateway - lets say that is xyz - pfsense will see traffic to its mac (xyz) and say oh this traffic wants to go to 192.168.2.50 - i know how to get there and my firewall rules allow it.. And will send the traffic on.

And I do know the above, I said this is strange...

In no scenario is pfsense involved in A talking to B - and A or B don't care how they got their ip - be it from some pool, or from some reservation or if the IP was set static on the device.. If the devices are on the same network pfsense is not involved, nor does it matter what IPs each device has as long as they are on the same network.. Is one of the clients getting the IP of some other device on your network? Ie a duplicate IP?

lets see the IPs your devices are getting when they can not talk to each other.. And let's see the arp table of these devices after you try and talk to the other device.

when dynamic dhcp assigned on vlan20 (tinman ssid) it gets random 172.16.20.200+ up to 250, happens to be 172.16.20.206 in this case.
when i dhcp reserve it's based on mac address... => 172.16.20.83
my MBP sits on 172.16.20.29 for reference.
when dynamic assigned i can ssh to device and i can ping device, when assigned using dhcp reserve then i can't... even though the device have network/internet access so network wise its correctly configured.

I simply came here as most guys here know network well... and might have had a idea/seen this before... not to worry...

had this on multiple raspberry pi devices, even reimaged 2 of them.

chpalmer

Do you have more than one reservation for said device? On your various VLANs?..

I have seen in the past where a device will grab the address from the wrong VLAN..

johnpoz

@georgelza if you know how this works - then troubleshoot what is going on.. If you know this, then you should know what your saying makes no sense at all..

So lets see the details so we can figure out what is actually going on - because an ip from pool or reservation or static has zero to do with it. ZERO!

Maybe you have a duplicate IP issue? maybe you have a firewall issue where only specific IPs are allowed? But dhcp pool/reservation or static has zero to do with the problem.

Devices either have IPs that are on the same network - or they don't, doesn't matter how they got those IPs

stephenw10

Mmm, there must be something different about the lease it pulls with the static mapping. And what makes most sense is that it has the wrong subnet mask. That should be easy enough to see on the device itself though.

Otherwise I would be running packet captures wherever you can to see what is actually being sent.

johnpoz

@stephenw10 but you can not adjust the mask in a reservation. It would make no sense that is an option even.

stephenw10

Mmm, good point!

Still feels like a subnet mask issue somewhere though. Especially if the dynamic lease is still in the 2-128 range whilst statics are all >201.

johnpoz

@stephenw10 not out of the realm of possibilities - but working with limited info.

But without some details - what I am going to say generally is what the OP is saying is just not possible.. Unless he is reserving an IP for this device where this IP already exists on the network.. Or there is some firewall rule on device that only allows specific IPs.

But handing out .x or .y on a network be it next one in the pool, or reserved for client A isn't the problem

Now if user set the IP on the device directly - then yeah mask could be for sure a common problem that happens.

stephenw10

I mean it could be the device testing from has it set incorrectly. Just seeing IPs from two halves of the /24 like that (assuming it is) screams subnet mask to me.