Discussion:
[pfSense] problems with setting 10.0.0.1/8 on LAN
Eugen Leitl
13 years ago
Permalink
While trying to build VIPs and do 1:1 NAT I accidentally noticed
that setting LAN to 10.0.0.1/8 (instead of 10.0.0.1/24)
will make the system unresponsive (this is 2.1-DEVELOPMENT (i386)
built on Fri Oct 21 12:51:56 EDT 2011). I also have other hosts
on the 10.0.0.0/24 network -- not sure what mixed network masks
on the same LAN do. I was not able to ping the WAN interface
at all.

I reset the LAN back to 10.0.0.1/24 via an IPMI session, at
which point the system sprang back.

I'll try doing the same with a /16 mask, let's see what that
does.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Eugen Leitl
13 years ago
Permalink
...
Behavior is the same with /16, ping gets me "Destination Host Unreachable",
while the pfSense itself has no isssue reaching anything outside.

As soon as I reset the LAN back to 10.0.0.1/24 everything
from the outside instantly works again. Weird.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Ugo Bellavance
13 years ago
Permalink
...
Are you sure you don't have a subnet overlapping on another interface?
Eugen Leitl
13 years ago
Permalink
Post by Ugo Bellavance
Post by Eugen Leitl
Behavior is the same with /16, ping gets me "Destination Host Unreachable",
while the pfSense itself has no isssue reaching anything outside.
As soon as I reset the LAN back to 10.0.0.1/24 everything
from the outside instantly works again. Weird.
Are you sure you don't have a subnet overlapping on another interface?
Not on the firewall. The other hosts do have the second NICs on the
10.0.0.0/24 network. As far as I know mixing different netmasks on
NICs on the same switch shouldn't result in complete unreachability.

I think I'll do some experimenting by isolating hosts on a
different, unreachable VLAN. This only works because the hosts
are in very limited production, so some dowtime is tolerable.
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Nathan Eisenberg
13 years ago
Permalink
Post by Eugen Leitl
Not on the firewall. The other hosts do have the second NICs on the
10.0.0.0/24 network. As far as I know mixing different netmasks on
NICs on the same switch shouldn't result in complete unreachability.
I think I'll do some experimenting by isolating hosts on a
different, unreachable VLAN. This only works because the hosts
are in very limited production, so some dowtime is tolerable.
The only item I can think of - and it's been a while since I played with this, so forgive me if I'm off my rocker - is that the broadcast address (used for ARPs to resolve IPs to MAC addresses) is defined by the subnet mask. Don't know if that's potentially involved here, but thought I'd offer it up.
Continue reading on narkive:
Loading...