Some LAN IPs not working
-
Hi,
I have a new PFSense install. single WAN IP, firewall and 192.168.0.0/16 subnet, DHCP server 192.168.0.100-192.168.14.253, OpenVPN and LDAP. Everything finally working except several windows clients on the LAN subnet will not communicate with other windows machines ONLY within the DHCP scope. About 30 of 40 are working perfectly fine with nothing to indicate a problem. The others I can browse the web, ping the gateway and communicate with our servers on another subnet without issue but absolutely nothing to the other LAN machines (IE RDP, icmp etc).
Been trouble shooting the Windows side all morning, Reboots, static IPs etc.
Does anyone have a hint as to where this problem would be? I've fixed windows boxes since 3.1. Would appreciate any insight as to if this could be a pf sense issue or if I should stick to the windows troubleshooting.
-
Dude what are we suppose to work with here? For starters I have to ask why a /16 in the first place - how many hosts do you have on this segment.. Maybe your lan is just so full of broadcasts that other stuff is not working ;)
So are these boxes on 1 switch? With a /16 I have to assume you have lots of switches and lots of hosts - which ones do not work, are they all on the same closet switch? Can we see a drawing of this network? You prob have a loop in it somewhere if some stuff doesn't work and others do. Or maybe a uplink died somewhere?
So you can not ping pfsense lan IP? 192.168.0.1 I guess? Can you arp for it – do you see its mac in the machine that is not working arp table? If you can not arp - then follow the layer 1, you prob have an issue..
Love to help you - but you have given us absolutely nothing to work with here.
-
Appreciate the response, I will look at arp and the switching. I apologize for the lack of info as well. I am taking over a Medium size network with yes, lots of switches and lan devices. ( you should see our IPAD collection :))
-
Well to start there are 3 main switches and from what I can see everything is plugged in willy nilly. As I stated, I'm taking over this network and trying to make heads or tales of what is happening. Starting with rebuilding the router which was sitting on a very old Dell with puffed capacitors.
DHCP leases and ARP tables are all correct (MAC's match, dhcp and dns). The few machines with this issue can see pfsense, get to the internet and the servers that do lot land in the DHCP scope.
Again I apologize for the lack of information. What can I post to help you get a better of idea of where the problem may be?
DHCP server is configured with all defaults. a simple range 192.168.0.100-192.168.14.253 (again this will be corrected eventually, just getting started :))
Firewall is basic, a couple NAT rules is it. Really nothing unusual or fancy.
-
Well first thing I would do if you have taken it over is address a /16 – I can not believe you have 65k hosts or anywhere close to that on the same segment. So I would clear that up first thing and correctly address your network space with appropriate sized segments.
Also - if you do not have a very detailed drawing - this is paramount! You need to be able to see what your working with, and need to be able to show others then you have questions or when working with your team mates on how best to address something, be it expansion, redesign, etc. etc.
-
" The few machines with this issue can see pfsense, get to the internet and the servers that do lot land in the DHCP scope. "
What is the issue then? If they can get to the internet and talk to servers on the /16 – do you have another network segment? What can these machine not do?? Talk to other machines on the /16?? If they can not talk to other machines - can these other machines talk to pfsense?
You need to be looking on a machine that is having issues..
Do they see each others MAC addresses? Nobody is talking to anybody on the same segment without a mac address that is correct.
So all the machines can talk to pfsense and use the internet? Your saying that machine 192.168.1.14 can not talk to 192.168.3.72 ??
Lets be clear here if your talking about machines talking to each other that are on the same network segment, ie your 192.168.0.0/16 then pfsense has NOTHING to do with your issue in the slightest.. Pfense has nothing to do with machines talking to each other on the same segment - they are not going to even talk to pfsense in the process.. Unless pfsense has bridged interfaces or something?? And some of these machines on on different sides of the bridge. Or on different segment that pfsense routes.
lets get into some specifics - exact ips that can not talk to each other - post up their ipconfig /all and their corresponding arp tables after you try and ping each other.
And then some sort of drawing to how these machines are connected via layer 1. Are they on the same switch? Different ones - how are the switches connected?
-
All on one subnet? Even so do you need a /16 rather than say a /20?
Anything in the firewall logs?
Steve
-
Thanks for the responses everyone.
Nothing in the firewall log.
We use RDP within the office and VPN users RDP to their desktops. Unfortunately this issues landed on my one fulltime remote users and a couple of people that remote from laptops around the office to there workstations. When trouble shooting I can reproduce from mine and other locations for these to verify it isnt an issue with firewall etc.
-
Traffic between machines in the same subnet shouldn't be going through the firewall at all. I'd be looking for some problem with the network. Switch run out of memory, got a bad route? Anything using jumbo frames?
Steve
-
I think I tracked it to a DNS slave that wasnt updated after the change. I will update this if it is resolved. Thanks everyone for the ideas.
-
Switch restart and applying the correct IP settings fixed it. Thanks people.
