Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    I can't ping, trace or access my pfSense from half of my network.

    General pfSense Questions
    6
    21
    2516
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maxmouse last edited by

      Hi everyone, I need some help here.
      I want use more host in my network, so I'm moving from /24 to /23, so far so good, except for one reason, I can't ping, trace or access my pfSense from half of my network.

      Here the thing, I have LAN interface as 192.168.0.0/23 and every host with 192.168.0.x can ping, but the other half of the network with 192.168.1.x can't.

      What I'm missing? any help would be great!

      PD.
      I suspect is something dumb, I can tell you that all my services are working fine. All the hosts in .1.0 can ping and use other servers in .0.0

      1 Reply Last reply Reply Quote 0
      • D
        dreamslacker last edited by

        Do these hosts have static IPs configured?

        If so, you will need to update the subnet mask accordingly.

        If you're using a separate DHCP server for these machines, have you also updated the DHCP server's issued subnet settings as well?

        1 Reply Last reply Reply Quote 0
        • M
          maxmouse last edited by

          Thank you dreamslacker

          Do these hosts have static IPs configured?

          I have both, and same result with static and DHCP. With the change in the netmask, the DHCP range changed automatically, and all my leases are updated.

          If you're using a separate DHCP server for these machines, have you also updated the DHCP server's issued subnet settings as well?

          Noupe, my DHCP is my pfSense.

          Honestly I'm lost here, this shouldn't be that hard.  :'(

          I already tried to change pfSense's IP and same result, maybe some log could bring me in right direction.

          1 Reply Last reply Reply Quote 0
          • KOM
            KOM last edited by

            Can you provide some hard numbers just to verify what you have set?  What is your pfSense LAN IP and netmask/CIDR?  For the machines that have problems, what is their netmask set to specifically?

            1 Reply Last reply Reply Quote 0
            • M
              maxmouse last edited by

              Thanks KOM,
              Of course!

              What is your pfSense LAN IP and netmask/CIDR?

              192.168.0.1/23

              or the machines that have problems, what is their netmask set to specifically?

              I have problem with any machine configured like:

              192.168.1.x/23

              For example I have a mail server in 192.168.0.5/23 and a web server with 192.168.0.4/23 and they're working fine, I can access  from any host with 192.168.1.x/23 or 192.168.0.x/23

              1 Reply Last reply Reply Quote 0
              • KOM
                KOM last edited by

                Hmm, I believe that should work and give you a range of 192.168.0.1-192.168.1.254.  The behaviour looks a lot like a subnet mismatch.

                Just for laughs, what happens if you take one of the systems on 192.168.1.x that doesn't talk properly and change its subnet from 255.255.254.0 to 255.255.0.0?  Can it talk now?

                1 Reply Last reply Reply Quote 0
                • D
                  divsys last edited by

                  Just a guess on my part, but any chance you could have a (supposedly) smart switch in the mix that needs to be configured?  ???

                  1 Reply Last reply Reply Quote 0
                  • M
                    maxmouse last edited by

                    KOM

                    what happens if you take one of the systems on 192.168.1.x that doesn't talk properly and change its subnet from 255.255.254.0 to 255.255.0.0?  Can it talk now?

                    Noupe, doesn't work.

                    divsys

                    smart switch in the mix that needs to be configured?  ???

                    Well, I inherit three old smart switches, but they haven't any configurations and I can access them from any 192.168.1.x host.

                    What I'm going to do is a hard/factory reset each one, just in case, and I will let you know if something changed.

                    And just for the record attached a screen of the conf.


                    1 Reply Last reply Reply Quote 0
                    • M
                      MindfulCoyote last edited by

                      @maxmouse:

                      Hi everyone, I need some help here.
                      I want use more host in my network, so I'm moving from /24 to /23, so far so good, except for one reason, I can't ping, trace or access my pfSense from half of my network. […] All the hosts in .1.0 can ping and use other servers in .0.0

                      Try rebooting before trying any further troubleshooting. It might be that pfSense hasn't updated the new netmask everywhere. (Diagnostics: Reboot)

                      If you still cannot ping pfSense at 192.168.0.1 from the 192.168.1.x/24 range, I would try looking at the logs to see if the firewall is blocking the packets. (Status: System logs: Firewall)

                      1 Reply Last reply Reply Quote 0
                      • M
                        maxmouse last edited by

                        Thank you Coyote,

                        Try rebooting before trying any further troubleshooting. It might be that pfSense hasn't updated the new netmask everywhere. (Diagnostics: Reboot)

                        I already did a fresh install to avoid misconfigurations.

                        I would try looking at the logs to see if the firewall is blocking the packets. (Status: System logs: Firewall)

                        The logs says what is expected, pass. :-\


                        1 Reply Last reply Reply Quote 0
                        • M
                          MindfulCoyote last edited by

                          @maxmouse:

                          The logs says what is expected, pass. :-\

                          Hmm. The default "Default allow LAN to any rule" rule should be silently passing that traffic. Could I trouble you to post the LAN firewall rules?

                          1 Reply Last reply Reply Quote 0
                          • M
                            MindfulCoyote last edited by

                            @maxmouse:

                            I already did a fresh install to avoid misconfigurations.

                            Not to be too repetitious, but I would recommend another reboot. Changing a netmask can really mess up a network. I would reboot the router, pick a test client and reboot it, then try again.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dreamslacker last edited by

                              @maxmouse:

                              Well, I inherit three old smart switches, but they haven't any configurations and I can access them from any 192.168.1.x host.

                              What I'm going to do is a hard/factory reset each one, just in case, and I will let you know if something changed.

                              And just for the record attached a screen of the conf.

                              Have you tried this:

                              1)  Verify that all the switches are configured for the correct subnet mask (where applicable).
                              2)  Power off the switches and all connected devices (except those that are critical - servers etc).
                              3)  Power on the switches first, then power on the machines.

                              Sometimes, switches don't update their look-up tables properly and a power cycle solves the issue.

                              1 Reply Last reply Reply Quote 0
                              • M
                                maxmouse last edited by

                                Hello again guys,
                                No luck, can't believe it, I'm running out of options.

                                but I would recommend another reboot

                                Coyote, after reboot no change.

                                1)  Verify that all the switches are configured for the correct subnet mask (where applicable).
                                2)  Power off the switches and all connected devices (except those that are critical - servers etc).
                                3)  Power on the switches first, then power on the machines.

                                dreamslacker
                                The switches are configured in the same netmask, I even did a hard/factory reset each and nothing! tried your steps and same, I even can get the swithces GUI from 192.168.1.x so I don't know.

                                Kind of frustrating, I'll try to isolate the hardware in a test lab with a standard switch and only one machine, to see what happens, but I can't do that now, because everybody is working right now and for now I haven't a backup.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  maxmouse last edited by

                                  Trying to find reasons,
                                  The only thing I can find in my mind is, one of my provider gave me a router where my pfsense get its IP via DHCP and the range of that DHCP is 192.168.1.0/24. I only have a patch core connected directly to the pfSense it doesn't go to any switch so thats why I don't think that there is a problem, but at this point, I don't know.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    MindfulCoyote last edited by

                                    @maxmouse:

                                    Trying to find reasons,
                                    The only thing I can find in my mind is, one of my provider gave me a router where my pfsense get its IP via DHCP and the range of that DHCP is 192.168.1.0/24. I only have a patch core connected directly to the pfSense it doesn't go to any switch so thats why I don't think that there is a problem, but at this point, I don't know.

                                    Ah Maxmouse.  :) You didn't mention that before. ;)

                                    pfSense has a number of places where it will adopt the DHCP netmask if not explicitly configured differently. Could you provide more topology detail so we can help you better? I'm not sure where the ISP router fits in. Are you saying your network looks like this:

                                    Client                Switch    [LAN  pfSense  WAN          ]    ISP Router        Internet
                                    192.168.1.131/23 –>  No IP? --> [192.168.0.1/23  192.168.1.x/24] –> 192.168.1.x/24 -->

                                    (also, more screen shots are extremely helpful. Specifically all the interfaces and the LAN rules would really help me. It's ok to black out the first two octets (i.e. x.x.1.1/23) or generically change them if privacy is a concern.)

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      maxmouse last edited by

                                      I never thought that would be a problem.

                                      With the topic of my topology you're right what I got is:

                                      Client                Switch    [LAN  pfSense  WAN          ]    ISP Router        Internet
                                      192.168.1.131/23 –>  192.168.0.41 --> [192.168.0.1/23  192.168.1.x/24] –> 192.168.1.1/24 -->

                                      Now with the screens let me work in, you know how is it.

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        heper last edited by

                                        your lan & wan have overlapping subnets. this CAN never work on any kind of router.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          MindfulCoyote last edited by

                                          @maxmouse:

                                          Client                Switch    [LAN  pfSense  WAN          ]    ISP Router        Internet
                                          192.168.1.131/23 –>  192.168.0.41 --> [192.168.0.1/23  192.168.1.x/24] –> 192.168.1.1/24 -->

                                          Ok, it appears that the primary issue here is the overlapping subnets created by expanding your netmask. I'm actually surprised this even works at all for the 192.168.1.x clients. It shouldn't. Ok one more question,  do you have pfSense configured for bridging or routing? (If you aren't sure, take a look under Interfaces: (Assign): Bridges )

                                          If not, here are my recommendations in order of preference:

                                          A. If possible remove the ISP router from the network and connect pfSense directly in it's place. (This won't work unless your provider's handoff is ethernet and they allow direct connections.)

                                          B. If the router cannot be removed, ask the provider if they can configure their router for bridged mode so that your pfsense has a routable public IP on it's WAN interface.

                                          C. If the router can't be removed and they refuse to change it's configuration to bridged, then I highly recommend you renumber your internal network into a different subnet. Some options could be:
                                          192.168.2.0/23
                                          Your LAN IP would become 192.168.2.1/23 and your LAN hosts would be 192.168.2.2 through 192.168.3.254.

                                          or 10.0.2.0/23
                                          Your LAN IP would become 10.0.2.1/23 and your LAN hosts would be 10.0.2.2 through 10.0.3.254.

                                          Any of those three options should solve your current problem completely.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maxmouse last edited by

                                            Finally!
                                            I want to thank you all for the help, as I said "I suspect is something dumb".
                                            The solution was change the lan configurations of my ISP's router, fortunately wasn't hard to break its security, and now all is working.

                                            Thank you all!

                                            1 Reply Last reply Reply Quote 0
                                            • H
                                              heper last edited by

                                              that's why we are here :-)
                                              pfSense has a very active community, and lot's of them are network guru's.

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post

                                              Products

                                              • Platform Overview
                                              • TNSR
                                              • pfSense
                                              • Appliances

                                              Services

                                              • Training
                                              • Professional Services

                                              Support

                                              • Subscription Plans
                                              • Contact Support
                                              • Product Lifecycle
                                              • Documentation

                                              News

                                              • Media Coverage
                                              • Press
                                              • Events

                                              Resources

                                              • Blog
                                              • FAQ
                                              • Find a Partner
                                              • Resource Library
                                              • Security Information

                                              Company

                                              • About Us
                                              • Careers
                                              • Partners
                                              • Contact Us
                                              • Legal
                                              Our Mission

                                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                              Subscribe to our Newsletter

                                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                              © 2021 Rubicon Communications, LLC | Privacy Policy