Some clients in a subnet cannot connect/ping other subnets



  • Hello all. Here's a simplified version of my setup: http://i.imgur.com/IuAgURv.png

    Basically, the Hikvision camera (10.1.0.52) and the DD-WRT router (10.1.0.2) cannot ping the gateway (10.0.0.1) or clients (10.0.0.2 -> etc) in the VLAN10 subnet. However PC1 (10.1.0.3) and the IPROBOT3 (10.1.0.51) can make connection/ping to the VLAN10 subnet (ping, access camera http server from client in VLAN10, access SMB folders).

    I cannot figure out this issue, I installed wireshark in client 10.0.0.2 and it seems like it doesn't receive any ping packet from 10.1.0.52 (ping by telnet from camera).

    As for firewall rules, both LAN1 and LAN2 interfaces are set to allow each other any traffic temporarily.



  • Any chance there's a firewall in the Hikvision camera blocking traffic outside it's subnet?



  • Hi  ;)

    All I've got is the NAT page, but it's all greyed out: http://i.imgur.com/9rP3ETA.png

    I can telnet into it though, however I don't know much about linux commands.



  • If you can telnet in, can you try a ping from the telnet command line?

    From that point (telnet) what points of your network can you reach -

    10.1.0.2 DDWRT
    10.1.0.1 pfSense VLAN20 Gateway
    10.0.0.1 pfsense VLAN10 Gateway
    10.0.0.2 VLAN10 PC (make sure windows firewall is turned off for testing)
    10.0.0.50 VLAN switch

    From your previous reply I take it the same exercise done from 10.1.0.3 was all successful?

    Is there anyway you could replace the DDWRT unit with a simple switch for testing purposes?



  • Hello, since the client behind the DD-WRT router worked, I figured it was not a problem, but I switched it (no pun intended) with a dumb switch and the issue remained.

    Yeah, I can ping with telnet, like indicated in the first post; it can ping its gateway and any clients in the subnet, but not the gateway of the other subnet (10.0.0.1) or the clients in it (10.0.0.***).

    10.1.0.2 DDWRT (reachable)
    10.1.0.1 pfSense VLAN20 Gateway (reachable)
    10.0.0.1 pfsense VLAN10 Gateway (unreachable)
    10.0.0.2 VLAN10 PC (make sure windows firewall is turned off for testing) (unreachable, Windows firewall is deactivated)
    10.0.0.50 VLAN switch (unreachable)
    10.1.0.3 (reachable from both directions)

    I can't ping back either from the TP-Link switch, but can ping back with pfsense (though I don't know what gateway it's using).

    I figured it's a problem with pfSense blocking the connection since it all stop after it, but that wouldn't explain why 10.1.0.3 client can reach the other subnet.

    My relevant firewall rules are:

    LAN1 interface: Allow ANY protocol ANY source LAN2 destination
    LAN2 interface: Allow ANY protocol ANY source LAN1 destination



  • OK great we have a list to work from.

    So I take it if you try and ping all those addresses from 10.1.0.3, they are all reachable?

    How about 10.1.0.3 to 10.1.0.52?

    Here's another thought, is it reasonable to try and move 10.0.0.2 to VLAN20 and make sure it gets 10.1.0.52?  If you re-run the same list of ping addresses again it would be interesting to see if anything changes.  At least it could rule out any blocking in the camera.

    As a small side note, have you rebooted the TP-Link switch? Sometimes moving cables around on a live switch can cause odd issues with remembered MAC addresses, simple test and worth a try.

    This is an odd one….. :o



  • Hello divsys, I'm pretty sure all the clients in the subnet can communicate with each other, 10.1.0.3 (PC) can communicate with 10.1.0.52 (Hikvision camera) because I used the PC to access the camera webgui. Once the DD-WRT router and Hikvision camera leaves the subnet, external communication is dropped.

    Had also rebooted camera, pfSense, TP-Link switch, DD-WRT router (more like a switch with AP now) multiple times to rule that out. Thanks for the assist btw.



  • I also forgot to add I have a multi-wan setup, I'm using policy based routing so LAN uses default gateway and LAN2 uses WAN2 when it goes out in the internet. But that wouldn't explain why some clients are reachable in the other subnet.

    Here are the firewall rules:
    http://i.imgur.com/WTfLDHk.png

    I'm not very good with pfSense, I know pfSense receives the ping packets, but I want to know if it's blocking it, I tried going to system logs and filter with camera IP and it comes up empty. Also I was checking the states and I saw this:

    icmp 10.1.0.52:39968 <- 10.0.0.50 0:0
    icmp 10.0.0.50:39968 -> 10.1.0.52 0:0

    What does 0:0 mean? I tried googling it, lot of results came up and I couldn't narrow it down.



  • Ahh, well the dual WAN thing makes a biiiig difference.  According to your rules there are two routes between LAN and LAN2.  Under your LAN2 rule you have routed traffic from LAN2 to LAN through a different gateway than traffic into LAN2 from LAN.  At minimum you're going to get some pings going halfway through one route and trying to return through another - that won't work.

    Try to limit your setup to one gateway first, then add the second WAN and get it operational.



  • As per your suggestion, yesterday I disabled the policy routing rule in firewall and was able to ping from 10.0.0.50 (TP-Link switch) to 10.1.0.52 (Hikvision camera), but I don't know what happened after and it doesn't ping anymore.  ??? I had been very busy, but I will mess around later on today.



  • Glad you were able to get it to work at least once (don't you hate it when that happens)  :P

    My only suggestion is to try and start with simple scenarios (take things apart to simplify if necessary) and then add complexity till it breaks  ;)

    Good luuck and let us know how it works out.