• 0

Some wireless clients periodically report no internet access


Question

The Dark Knight

I'm having a very weird and annoying problem with my network all of a sudden. This is my network setup:

 

  • pfSense running in Hyper-V
  • 2 dedicated NIC's - one for WAN and one for LAN
  • 4 Wireless AP's - all configured with static addresses and have DHCP disabled so that all wireless clients get their addresses from pfSense instead of the AP's

 

So the problem is, many of my wireless devices particularly phones, start reporting no internet access at least once a day. Other wireless devices like laptops, Fire TV Sticks, and all wired devices work perfectly fine. Phones are connected to WiFi, but are actually using the LTE connection. Checking the IP address confirms this. However if I turn off LTE, the phone again has internet from my home connection, although Android continues to report no internet access! Rebooting the phone doesn't help. Rebooting pfSense makes the problem go away immediately!

 

Static IP's for all devices configured in pfSense itself, except for the Wireless AP's. Everything was working perfectly fine for a few months, this problem only started about a week back. pfSense is on the latest version with the recent security updates applied via Shell.

Link to post
Share on other sites

Recommended Posts

  • 0
The Dark Knight

By the way, my original problem has now gone away completely. Turns out I was having that issue because I changed something somewhere. No idea what though! A fresh setup of pfSense, and all is well again! :)

Link to post
Share on other sites
  • 0
+BudMan

where are those rules?

 

You have an any any rule? at the top - any other rules below that mean nothing.  And rules are placed on the interface where traffic would enter pfsense.. If you want to allow lan to your pihole vlan then the rule would be on your lan interface not your pihole interface.

 

Yes your port forward would be on your lan interface and sure !lan address still works.

 

Rules are evaluated on interface where traffic enters pfsense from the network the interface is attached too.  First rule to trigger wins, no other rules are evaluated.

Link to post
Share on other sites
  • 0
The Dark Knight

I created these rules on the new Pi-hole interface. Yes, I did make the any to any rule but that was meant to be temporary. Unless that is the only rule required? I created the other rules thinking it could be locked down for specific movement of traffic. Wanted you to vet them before I enabled! I already have a LAN to any rule (the default one). And yes, do know that rules are evaluated from the top. :)

 

Cool, so will change the NAT Redirect rule accordingly!

 

Thanks BudMan for all your help! :happy::beer:

Link to post
Share on other sites
  • 0
+BudMan

Well if that is on your pihole interface then the dest pihole net is never ever going to be used.. Since the interface would never see such traffic..

Link to post
Share on other sites
  • 0
The Dark Knight

Oh ok. So I'll delete them and only keep one Allow to Any rule on the interface then. And of course the NAT Redirect rule.

Link to post
Share on other sites
  • 0
+BudMan

well you can for sure lock it down if you don't want the pihole vlan to create traffic to your lan - but since its really just a vlan to allow for the redirections of the dns I wouldn't think there are any security concerns.

Link to post
Share on other sites
  • 0
The Dark Knight

Cool, thanks! 🙂

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Copernic
      Wireshark 3.2.6
      by Razvan Serea

      

      Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

      Deep inspection of hundreds of protocols, with more being added all the time Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display filters in the industry Rich VoIP analysis Read/write many different capture file formats Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom) Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript®, CSV, or plain text Wireshark 3.2.6 changelog:

      The following vulnerabilities have been fixed

      wnpa-sec-2020-10 Kafka dissector crash. Bug 16672. CVE-2020-17498.

      The following bugs have been fixed



      Kafka dissector fails parsing FETCH responses. Bug 16623. Dissector for ASTERIX Category 001 / 210 does not recognize bit 1 as extension. Bug 16662. "invalid timestamp" for Systemd Journal Export Block. Bug 16664. Decoding Extended Emergency number list IE length. Bug 16668. Some macOS Bluetooth PacketLogger capture files aren’t recognized as PacketLogger files (regression, bisected). Bug 16670. Short IMSIs (5 digits) lead to wrong decoding+warning. Bug 16676. Decoding of PFCP IE 'PFD Contents' results in "malformed packet". Bug 16704. RFH2 Header with 32 or less bytes of NameValue will not parse out that info. Bug 16733. CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed Packet]. Bug 16742. tshark crashed when processing opcda. Bug 16746. tshark with --export-dicom gives “Segmentation fault (core dumped)”. Bug 16748. Updated Protocol Support

      ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2, E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS, NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270, and TN5250

      New and updated capture file support

      PacketLogger and pcapng

      Download: Wireshark 3.2.6 | Wireshark 64-bit | ~50.0 MB (Open Source)
      Download: Portable Wireshark 3.2.6 | Wireshark for macOS
      View: Wireshark Website | Wireshark 3.2.6 changelog

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      Wireshark 3.2.4
      by Razvan Serea

      

      Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

      Deep inspection of hundreds of protocols, with more being added all the time Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display filters in the industry Rich VoIP analysis Read/write many different capture file formats Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom) Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript®, CSV, or plain text Wireshark 3.2.4 changelog:

      The following vulnerabilities have been fixed

      wnpa-sec-2020-08 The NFS dissector could crash. Bug 16476.

      The following bugs have been fixed

      SDP dissector does not parse sprop-parameter-sets field. Bug 16322. PVS-Studio analyser long list of issues. Bug 16335. Can’t have duplicate personal and global profile names. Bug 16423. pcapng file dissector incorrectly computes nanoseconds from timestamps because it assumes the resolution is in nanoseconds. Bug 16440. Read of uninitialized memory in detect_camins_file. Bug 16458. Read of uninitialized memory in lanalyzer_read_trace_record. Bug 16459. capture -> options -> select interface -> (choose) -> SEGV. Bug 16489. SOMEIP: SOME/IP dissector ignores the length field configuration of structs. Bug 16490. Packet List Pane doesn’t consume the entire pane. Bug 16491. Range parameter on numeric parameter in extcap plugin doesn’t work. Bug 16510. Export Packet Dissections not working on Windows (Wireshark 3.2.x). Bug 16516. capinfos "Capture duration" output is truncated if there are more than 11 digits of seconds and fractions of a second. Bug 16519. MIME Files Format/pcapng: Simple Packet Block parsed incorrectly. Bug 16526. SOMEIP: SOME/IP-SD unique id is not unique for eventgroup types (BUG). Bug 16549. Buildbot crash output: fuzz-2020-05-13-12195.pcap. Bug 16564. Updated Protocol Support

      AoE, APRS, ASN.1 BER, DIS, DTLS, FTP, GSM SMS, H.264, IMAP, Infiniband, ISObus VT, Kafka, LSD, MAC LTE, NAS 5GS, NFS, ONC RPC, OSC, pcapng, PDCP LTE, RADIUS, RLC LTE, RTSP, SDP, SIP, Snort, SOMEIP, STUN, TLS, and UMTS FP New and updated capture file support

      Camins, Catapult DCT 2000, Lanalyzer, and MPEG

      Download: Wireshark 3.2.4 | Wireshark 64-bit | ~50.0 MB (Open Source)
      Download: Portable Wireshark 3.2.4 | Wireshark for macOS
      View: Wireshark Website | Wireshark 3.2.4 changelog

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By dipsylalapo
      Hey everyone, 
       
      I haven't touched my network setup in a long time as it's been working with no issues for months. 
       
      Over the last week or so, I've noticed that some devices struggle to stay connected to the network. At the moment, there's a Kindle and a desktop that are struggling to stay connected. 
       
      I've no idea where to start looking into this so any pointers would be great!
       
      I have a USG, two Unifi APs (Lite) and a D-Link switch (DGS-1100-08P).
    • By Copernic
      Wireshark 3.2.3
      by Razvan Serea

      

      Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

      Deep inspection of hundreds of protocols, with more being added all the time Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display filters in the industry Rich VoIP analysis Read/write many different capture file formats Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom) Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript®, CSV, or plain text Wireshark 3.2.3 changelog:

      The following vulnerabilities have been fixed

      wnpa-sec-2020-07 The BACapp dissector could crash. Bug 16474. CVE-2020-11647. The following bugs have been fixed

      Add (IETF) QUIC Dissector. Bug 13881. Rename profile name loses list selection. Bug 15966. Dissector bug warning dissecting TLS Certificate Request with many names. Bug 16202. Only ACKs, but no DATA frames are visible in -> TCP Stream Graph -> Time Sequence (tcptrace). Bug 16281. Copy>Description does not work properly for all tree items. Bug 16323. Importing profiles in Windows - zip files fail and from directory crashes Wireshark. Bug 16410. Packet List selection is gone when adding or removing a display filter. Bug 16414. Check for updates, and auto-update, not working in 3.2.1. Bug 16416. f5ethtrailer: TLS trailer creates incorrect CLIENT keylog entries. Bug 16417. Buildbot crash output: randpkt-2020-03-04-18423.pcap. Bug 16424. File open dialog shows garbled time stamps. Bug 16429. RTCP Bye without optional reason reported as [Malformed Packet]. Bug 16434. [oss-fuzz] #20732: Undefined-shift in dissect_rtcp. Bug 16445. SOMEIP: SOME/IP-SD dissector fails to register SOME/IP ports, if IPv6 is being used (BUG). Bug 16448. tshark logs: "…​could not be opened: Too many open files.". Bug 16457. Typo in About Wireshark > Keyboard Shortcuts > Unignore All Displayed. Bug 16472. Buildbot crash output: randpkt-2020-04-02-31746.pcap. Bug 16477. Updated Protocol Support



      AFS, BACapp, Bluetooth, CoAP, Diameter3GPP, F5 Ethernet trailer, GSM RLC MAC, ISIS, ISIS CLV, ISIS HELLO, ISIS LSP, ISIS SNP, NAS 5GS, NR RRC, pcap, QUIC, RPCAP, RTCP, SOME/IP-SD, TLS, and WSP New and updated capture file support

      pcap

      Download: Wireshark 3.2.3 | Wireshark 64-bit | ~50.0 MB (Open Source)
      Download: Portable Wireshark 3.2.3 | Wireshark for macOS
      View: Wireshark Website | Wireshark 3.2.3 changelog

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Steven P.
      Deal of the Day: The NETGEAR EX2800 WiFi Range Extender is 25% off for $29.99
      by Steven Parker

      As part of Amazon's Deal of the Day offerings, the NETGEAR WiFi Range Extender EX2800 has been discounted down 25% off to just $29.99 with free delivery (normally $39.99). The compact wall plug design offers coverage up to 600 sq.ft. and 15 devices with AC750 dual band wireless signal booster and repeater (up to 750Mbps speed).

      Here are a few of the specs:

      This WiFi range extender has earned a very solid 4.8 out of 5 star customer satisfaction rating at Amazon. Please note that although the page heading states it is good for up to 20 devices and 1200 sq ft of coverage, the Netgear descriptions says otherwise, which is corrected above.

      Get the NETGEAR WiFi Range Extender EX2800 for $29.99 (normally $39.99) 25% off.