Cant See or Ping Local LAN Clients

  • I am trying to connect my Table to my PC wirelessly and can not get the 2 to talk.

    I am able to reach the Internet on both and see the router.

    From the Tablet i can do a discovery and all it sees is the Pfsense (wired) and the Tablet (Wireless) and my TV ( Wired) thats all i can see.

    Im going to try plugging in my laptop to see if it sees it then.

    If you need configuration info from pfsense let me know and ill post it.

  • You have network discovery enabled for your PC?

  • I'll assume you're using Windows. If you connect to a "new network" and you tell it "public" or in some cases, it will assume a network is public, Windows will assume local clients are hostile and will block pings and multi-casts.

    I had this issue when I attempted to VPN to my PFSense box, only to find out my wife could not ping my computer and SMB was not working. Turned out Windows assumed the network was public and was blocking everything. Once I found out how to change that setting, SMB and ping started working.

  • But from a android Tablet PFsense is not letting wireless items talk to each other.

  • Go to Interfaces –> WLAN
    Enable the option "Allow intra-BSS communication"

    Some discovery services need this. I can recall a problem with Chromecast devices for example, unless this is checked they wouldn't work.

    Best regards!

  • That is enabled.

  • Rebel Alliance Global Moderator

    You mention router - are you talking about pfsense as your router, or do you have some other router?

    I don't even see where you say that pfsense is providing your wireless, other then when asked if intra-BSS is on you say it is, so assume pfsense has a wireless card in it.  You have no other wireless routers running wireless that your devices are connected to?

    Can you draw up your network, on a napkin if that is all you have and take a picture of it with your phone if need be to post it.

  • Well here is the Layout

    Internet <> Cable Modem <> WAN (DC0) <> Pfsense <> [Bridge {LAN (Bridge) <> OPT1 (DC1)}] <> WIFI (RAL0)

  • Rebel Alliance Global Moderator

    "[Bridge {LAN (Bridge) <> OPT1 (DC1)}]"

    So your bridge has 1 interface in it?  DC1 - if it was a bridge between your wireless and your wired it would have both interfaces in..  What is the point of a bridge with 1 interface?

  • thats what everybody told me to do i will post a picture of the setup.

  • Rebel Alliance Global Moderator

    Show your bridge setup please - I would think that should show both interfaces.

    See how added test bridge see how it has 2 interfaces in it.

  • Here it is.

  • Rebel Alliance Global Moderator

    Ok what IPs do you have setup on these interfaces, and the bridge interface - and what firewall rules do you have setup?

  • Netgate

    Ok what IPs do you have setup on these interfaces, and the bridge interface - and what firewall rules do you have setup?

    I think that needs to be flipped around a little…

    Ok what IP do you have setup on BRIDGE0 (WIFI and OPT2 should have none), and what firewall rules do you have setup on BRIDGE0, WIFI, and OPT2?

  • Rebel Alliance Global Moderator

    I agree they should have none - which should be his answer..

  • wifi and opt 2 have no IP.

    As for rules they will be below in pictures.

    In the lan rules dont mind the Andy Stuff.

    ![Lan Rules.JPG](/public/imported_attachments/1/Lan Rules.JPG)
    ![Opt 2.JPG_thumb](/public/imported_attachments/1/Opt 2.JPG_thumb)
    ![Opt 2.JPG](/public/imported_attachments/1/Opt 2.JPG)
    ![Lan Rules.JPG_thumb](/public/imported_attachments/1/Lan Rules.JPG_thumb)
    ![Wifi Rules.JPG](/public/imported_attachments/1/Wifi Rules.JPG)
    ![Wifi Rules.JPG_thumb](/public/imported_attachments/1/Wifi Rules.JPG_thumb)

  • Rebel Alliance Global Moderator

    What does Andy IP resolve too - I am curious to what you think those rules will accomplish?  With that one rule source IP being andy IP, if that is a local IP you could be blocking all kinds of stuff outbound from lan, like normal web traffic.  Source ports could be pretty much anything above 1024 with normal traffic.

  • Netgate

    Just so I'm clear, LAN is assigned to BRIDGE0 right?

  • Andy's ip covers his wired and wireless IP 192.168.103,
    Wel he was using Bittorrent and i told him not to and he still did it.  It blocks the ports for Bittorrent and opens up the others for web surfing and things.

    Yes LAN is the BRIDGE0 and all my ips are static to keep track of who is on.

  • Netgate

    Sorry - now I see your interface assignment screen cap in post #9.


    Andy's ip covers his wired and wireless IP 192.168.103,

    Why two different subnets?  The point of bridging the two (OPT2/WIFI) is to get them on the same subnet/broadcast domain.

  • My Mistake its wired and wireless sorry.

  • Netgate

    Then it should be working.  Check the software firewalls/LAN modes (public,work,etc) on the devices that can't talk to each other.  Are they getting ARP for each other?

  • Rebel Alliance Global Moderator

    "It blocks the ports for Bittorrent and opens up the others for web surfing and things."

    Not it doesn't!! So on rule that reads that from if source port is 5k to 65k block

    Well how do you know firefox is not going to us port 7212 to go to ??  You do understand that applications will use a random port above 1024 as their source port..  See example attachment of my firefox connection currently – see the local ports in the 30k range  Your rule would block that from happening.

    And you blocking him from going to anything with 5k to 65k as dest, is going to break way more than just bittorrent ;)  Which is fine blocking outbound traffic to non standard ports standard practice..  But blocking source ports is going to be a problem!!  I would think he would be complaining all the time that he can not get to websites.. Maybe  reboot would fix it so he starts using ports just above 1024, but as applications start going through the ports and get to above 5k they are going to stop working for new connections to websites even on 80 or 443.

    Lets clarify what the problem is -- so wireless clients can not talk to other wireless clients.  So if you ping a wireless client from another wireless client by IP, do you see the mac in your arp table on the client pining it?

    So for example if I ping, you can see its mac in my arp table on the client


    Pinging with 32 bytes of data:
    Reply from bytes=32 time=1ms TTL=128
    Reply from bytes=32 time<1ms TTL=128

    C:>arp -a

    Interface: --- 0xc
      Internet Address      Physical Address      Type          00-0c-29-c8-f2-dc    dynamic          00-0c-29-dd-02-ba    dynamic          00-0c-29-55-4f-95    dynamic          b8-27-eb-1c-6e-09    dynamic          00-1f-29-54-17-14    dynamic        00-0c-29-73-eb-07    dynamic

    Even if doesn't answer you should see the MAC – do you??

    I personally never understand why anyone would set up pfsense like this - if you want wireless on your lan network - then use a AP..  Pfsense wireless support is lets call it limited at best, your going to get way better performance, way more coverage and way more control using any wifi router you have laying around the house as just an AP, or going with a real AP - something like unifi for example with a wireless controller in software.

    To be honest if me, I would yank all the wifi out of pfsense all together other than say some support for a wifi connection to be used as a link.

    if you have this set
    "Enable the option "Allow intra-BSS communication""

    And wifi client can not talk to each other then yes there is a problem - do the devices see the other devices mac is a start to figure out what is wrong.

  • No MAC.

    I am trying to ping my android phone from my pc and and pinging from phone to pc and i cant see the ip or MAC.

    Also with blocking i haft to block anything i can because i dont want him here, dosent want to get a job and just leeching but i need to leave it a way so he can find a job.

    And if you have been reading though the postings, you would see that "Enable the option "Allow intra-BSS communication" Has already been asked and the answer is yes.

    With the wifi router option, I would but i found a Realtek Wireless card for $10 and thought i could use it as a AP in PFsense.  Instead of spending $60 on a separate Repeater or a AP.

  • Rebel Alliance Global Moderator

    well clearly its working as an AP - you have connectivity to the internet from the clients do you not? ;)

    Dude you can buy a wireless router for $20 4093&IsNodeId=1&name=%2410 - %2425

    There are like 20 something to choose from.  from like 12$ to 25$

    That's fine if you want to limit him to say 80/443 - but the way your doing it is not correct and will cause problems with normal web sites once his source ports are over 5k which will happen once the machine has been on for any length of time.

    I do understand your "Enable the option "Allow intra-BSS communication" which is why I mentioned it.  If you can not see the mac of the box your trying to ping then no your never going to be able to talk to it.  Which would have nothing to do with firewall rules, etc.

    So does the phone ping your pc?  Or both ways fail with no mac?

    wireless to wired is not the intra-bss setting that would be wireless to wireless.

    My suggestion - for easy fix buy a AP and don't try and bridge - just plug the AP into a lan switch and your good to go.