Ping issue to wireless devices in same VLAN

tak4ever2000 · July 28, 2023, 5:10am

Hi all

Hope everyone is well. Hitting my head on the table at the moment . Not sure if this issue Im facing is due to a mis-config, or some undocumented behavior with the consumer smart switches Im using (GS105E & TL-SG108PE).

Would be grateful if I could get another pair of eyes over the setup and config.

Like many I’ve attempted to moved my flat home network into a VLAN setup. And to be honest, using the two consumer switches was a bit of a mission. Though so far, its working, except for the ping issue.

Network layout:

.
All VLANs are setup under 802.1Q in the switches, port-based VLAN is disabled.

Devices in VLAN11 can access everything, WAN and devices in VLAN8.

Devices in VLAN8 can access WAN, blocked from VLAN11.

PC1 and PC2 are under VLAN11, both have IPs provided by the DHCP server in VLAN11 (within pfsense). Can access WAN without a hitch. Can ping all devices in VLAN8 without issue.

PC1 and PC2, have no problem pinging any LAN devices.

For those who are wondering why VLAN1 is the management VLAN. Mainly because the switches seem to refuse to get an IP from any other VLAN except for VLAN1. I feel maybe there is a bug with the switches or something Im not understanding with the configs.

========== ISSUE ===============

PC1 and PC2 cant ping the wireless printer under SW2.AP2.VLAN11, unless the printer is freshly booted while the PCs are on. Ping error below.

Reply from PC-IP: Destination host unreachable

Similar issue occurs with the mobile. Both PCs are unable to ping the mobile unless the mobile pings the PCs first. Once the mobile initiate the pings to the PCs, thereafter, the PCs would be able to ping the mobile device.

Same issue occurs if the network adapter is disabled and then re-enabled on the PCs. Both PCs would lose the ability to ping the wireless devices under VLAN11, but still ok with devices in VLAN8.

Checking the ARP table. Once the network adapters is disabled and re-enabled, most of the entries in the ARP tables disappears. Some entries do come back, but the wireless device’s ARP does not appear unless they are rebooted or a ping is initiated by the wireless device.

=============================

Any thoughts or pointers is greatly appreciated

bb77 · July 28, 2023, 5:55am

Are these PCs connected via Wi-Fi? If yes, I’d guess that client isolation is enabled on the SSID the PCs are connected to…

tak4ever2000 · July 28, 2023, 6:26am

Thanks bb77. However both PCs are on physical LAN.

Client isolation has been disabled due to my requirements. I did check this earlier thinking it may had been enabled and playing up. However, ping will work both ways…only if its initiated by the wireless devices. Pinging between wireless devices have been trouble free so far.

neogrid · July 28, 2023, 8:24am

On these Netgear switches there are vlans (1-4) that are pre-assigned for VOIP etc. I start my vlans from 10 and higher. Can’t say if this is the cause of your issue though.

I’ve never got to the bottom of this but sometimes with my Netgear switches, I can’t change the ports vlan assignment without doing a complete reset.

tak4ever2000 · July 28, 2023, 9:41pm

Thanks neogrid. Interesting…I might try a few more VLAN range to see whats going on there. I had originally wanted to use VLAN 90 as the mgmt VLAN, but it just refuses to work. And I also did notice that some VLAN setting does not appear to kick in until I pull the power plug and re-plug. Using the reboot button in the GUI doesnt always seem to work, you see the setting but not the result…

To all.
I want to clarify, something simple. Perhaps I have misunderstood. If I wanted to set one of the switch ports to a particular VLAN, for mgmt purposes, mgmt VLAN. It would simply be changing the PVID of that particular port right?

For example, if I wanted Port 1 to be in in mgmt VLAN 90, I would set PVID for Port 1 to 90, is this correct? Of course this is assuming pfSense have been setup with the necessary VLAN and DHCP service.

neogrid · July 29, 2023, 6:44am

I’m not sure that your question makes sense, though perhaps it might be me. At least for what I do, the switch has to be on the management vlan, for Netgear switches I assign them an IP address on the management vlan first, then assign a port on that management vlan, then I set management vlan to say vlan_10 in the switch configuration. If something messes up, I can plug into the vlan_10 port and still access the switch directly.

Otherwise you don’t actually need a port on the management vlan to access the switch, you can do it from elsewhere on your network depending on your rules.

With Netgear switches, it’s best to sort out your config first, set it, then not touch it

neogrid · July 29, 2023, 6:46am

Actually I see your question again, that is the correct way to assign a vlan to a port, you also have to remember to take it off vlan 01.

tak4ever2000 · July 29, 2023, 8:04am

At this stage I cant help but agree

@neogrid Thank you for feedback. Its good to know that I wasnt too off track. With the inconsistent behavior I started questioning myself… You make a good point re using static ip, I think I need to go down that track. Thank you @neogrid !

neogrid · July 29, 2023, 9:39am

LOL I had major issues with Netgear switches when I first played around with pfSense, additionally I’d say, the Netgear Pro switches play nicer than the Plus versions.

The other thing that comes to mind is that sometimes I have found when I need to configure a switch, it’s best to disconnect it from the network, configure it with just a laptop then connect it back to the network. Don’t ask me why.

tak4ever2000 · July 30, 2023, 3:08am

Noted

Exactly what I was thinking!! Something I was actively avoiding but I cant help to think…maybe…just maybe this would resolve all the quirks Im experiencing.

Once I get some free time in the next day or two, I’ll give this a go and post an update

tak4ever2000 · August 1, 2023, 9:41am

Hi all

Thought I’ll drop an update. And list out what I’ve tried and what I ended up doing. Perhaps might give others some ideas for their problem down the track.

Updated the switch firmware
Reset all switches back to factory
Static IP set and reconfigured while disconnected from the main network

Result was…same issue. LAN devices cannot ping same-vlan-wireless devices unless they are pinged first.

I suspect my SW2 configure contained some improper config due to my misunderstanding of VLAN packets in motion. But, like many things in IT…we’ll find out one day!

What I ended up doing? Created a new VLAN for the home wireless devices, VLAN12. Essentially home LAN devices are on one VLAN, while the home wireless devices on another VLAN. If anything, this approach may be more ideal as it provides some additional flexibility to control the home wireless devices in the future,as compared to having them all in one network.

Reconfigured network layout.

Anyways, big thanks to neogrid for the suggestions and tips

neogrid · August 1, 2023, 12:22pm

Just some things that I do on my network after many trials and errors; my LAN is only used for testing / fixing, vlans are segregated for devices or services I run, with the LAN I just use it for fixing pfSense if I balls something up I can just plug into the router and fix it.

If you don’t already have a vlan capable or multi SSiD AP, that will be handy when you next upgrade. I’ve got a TP-Link EAP 245 which has a 2nd NIC port, which can be handy too.

My vlan numbering is in the tens which align to the subnets, that way it’s a bit easier to remember what’s what.

I use a management vlan and stick all the networking equipment on it, not sure if it’s really necessary but I do it at home.

Once you add external cameras you might want to consider using FreeRADIUS to secure your network, super unlikely someone will connect their laptop to that external cable but worth knowing how to protect against it.

Pretty sure you’ll work all these things out as you go along !

tak4ever2000 · August 2, 2023, 8:31am

Thank you neogrid!

Those are some great tips and insight!

Using LAN for testing and fixing approach. That is genius idea! Looks like I’ll be reshuffling the network soon!

Re the AP. Believe it or not, I started this whole VLAN migration because I had discovered my years-old TPLink AP could support VLANs with multi-SSIDs. Originally I had two APs covering two different areas, one for home another for IoTs in the garage. Though as the IoT crept into the house. I needed the IoT SSID to follow. What a joy when I discovered I could do VLANs on the AP. Little did I know the amount of head banging it would follow

Yeah the mgmt VLAN. I do agree, may not be necessary at home but it is a good security practice. I do feel that if we follow these practices at home, then if ever is needed in a work environment, then it will be second nature. I will re-attempt this once Im ready for another period of head banging

Thank you for the FreeRADIUS info. I had no idea there was an open source version of RADIUS! For some reasons I had always thought it was built into windows servers and was proprietary. Something new to poke around!

Once again, big thank you neogrid