on 11-09-2021 09:34 AM
I have a network monitor connected by wifi to my network. It pings different IP addresses on my LAN - some connected by ethernet, some via wifi.
So eg I have a device at 192.168.1.34 which is not responding to pings from the WiFi device.
It also fails to respond to pings from my android tablet, again via wifi.
I change the fixed IP in the router to 192.168.1.28
and before the change propagates the ping works!
But after it propagates - it fails.
However I CAN ping it from my PC via ethernet.
Is there a setting in the router that would prevent a wifi device pinging another - but let it be pinged from the ethernet?
14-09-2021 10:38 AM - edited 14-09-2021 10:41 AM
Sorry, before I had filtered out everything except ICMP. Looking at the ARP & ICMP, the device whose MAC address is 24:fd:52:f3:80:c0 seems to be getting all of the ARP wrong. It is sending out the initial three ARP requests for .34, these should always be broadcast frames & hence the destination MAC address should be ff:ff:ff:ff:ff:ff, however, this is a unicast frame going to 7c:9e:bd:3a:04:7c???
Then another MAC address 24:0a:c4:60:05:78 send a gratuitous ARP broadcast out. After that 24:fd:52:f3:80:c0 starts to get its act together & starts sending out ARP requests correctly as a broadcast.
However, where is Wireshark running at that point, as you may not be seeing the full picture unless it is running on 24:fd:52:f3:80:c0, or you are monitoring its port, which as I said yesterday, requires specialist hardware.
EDIT: By the way, I can't get any confirmation what this firewall log's direction actually means, no one seems to know.
on 14-09-2021 06:51 AM
"Well, all of those pings were successful"
in the ethernet case, yes.
I've been comparing the two sets of results and I see ( I think) the ARP request should be followed by an ARP reply, then an ICMP
In pinga34b42 at frame 39 a ping to ..1.34 starts - but there is no response to the arp request.
I've set the firewall rule as you recommended. As yet nothing relating to those addresses.
Now a LITTLE more experienced with Wireshark I've tried another capture.
at frame 8 there is an ARP request to 1.34
and at frame 9 the ping request
and more a little later. But no immediate response.
But at #28 there is an ARP broadcast FROM .1.34
Sorry there is a lot of background in there I havent discovered yet how to delete lines from the record.
on 13-09-2021 09:50 AM
Well, all of those pings were successful, so that does not tell me much other than the payload is correct. Without seeing failed pings I cannot tell much other than you saying they fail with host unreachable, that will normally mean that for some reason .34 is unable to be reached. This could be that the pings are not reaching the device, or they are & the response is not received back. For that I would need to see a Wireshark trace from this device on .34. Unless that supports pcap capture, the only way you can capture it is with the laptop with some specialist hardware.
You can try enabling a firewall log, to do this in the router go to:-
Dashboard > See Internet Settings > Manage advanced settings > Advanced Configuration > Security Configuration > Firewall Log Configuration
Enable a new rule & set the direction of "LAN to Local" & the action as "Reject" & send me a copy of that once a failure occurs. I am not hopeful that this will show anything as I do not think this is a Firewall issue.
To find the log go to:-
Dashboard > See Internet Settings > Manage advanced settings > Advanced Configuration > Maintenance Diagnostics > Firewall Log
Unless this shows anything, I think you need to speak to the support people for this solar heating system. One device is very unlikely to be a problem with the router, which basically forwards everything from the WiFi or LAN ports to whichever other local port is required.
on 13-09-2021 07:39 AM
Hi Keith thanks for your help on this.
I've installed Wireshark on my laptop, hope this file contains the info you need.
I've done an arp /a from my work PC as below:
192.168.1.26 is the laptop (HPPavG6) on wifi
192.168.1.34 is the installed solar monitor
192.168.1.42 is a duplicate solar monitor
The network monitor is not presently connected
192.168.1.68 is the laptop on ethernet
Interface: 192.168.1.11 --- 0x9
Internet Address Physical Address Type
192.168.1.1 d0-c6-5b-cc-34-c4 dynamic
192.168.1.26 24-fd-52-f3-80-c0 dynamic
192.168.1.31 a4-cf-12-ef-61-62 dynamic
192.168.1.34 7c-9e-bd-3a-04-7c dynamic
192.168.1.36 78-32-1b-c6-dd-a9 dynamic
192.168.1.42 24-0a-c4-60-05-78 dynamic
192.168.1.68 a4-5d-36-68-cc-eb dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
184.108.40.206 01-00-5e-00-00-16 static
220.127.116.11 01-00-5e-00-00-fb static
18.104.22.168 01-00-5e-00-00-fc static
22.214.171.124 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Sorry I'm new to wireshark but after a few goes I've saved this file, while doing a ping to 192.168.1.34 and then to 192.168.1.42 from the laptop on wifi.
I've then saved another ethping.. for the same pings with laptop on ethernet.
12-09-2021 10:21 PM - edited 12-09-2021 10:24 PM
What happens if you ping this device from the network monitor machine itself, but direct from its OS, rather than using the network monitor application to do this?
What is the data payload of the ping when generated by the network monitor application? A lot of malware changes the payload & maybe the router's firewall is seeing this as a security threat. Does the network monitor OS support any pcap capture program? That way I would have a much better idea of the actual problem.
12-09-2021 05:58 PM - edited 12-09-2021 06:04 PM
No Keith, the gadget being pinged is an ESP32 microcontroller running as a monitor and logger for my solar panel installation - detecting and counting flashes from the "electricity meter", connects to the network via wifi. No firewall and I can ping it from my PC (connected via ethernet) but pings from the network monitor fail - except temporarily as described above when I change router settings.
If I ping 192.168.1.34 from my laptop via ethernet its fine - between 12-120ms.
unplug ethernet, change to wifi connection - Destination host unreachable
however I see
pinging 192.168.1.34 with 32 bytes of data
Reply from 192.168.1.26 Destination host unreachable
on 12-09-2021 09:06 AM
Sorry, when I asked about the firewall, I was referring to the device being pinged, not the device sending the ping request.
11-09-2021 06:12 PM - edited 11-09-2021 06:15 PM
Hi Keith: the network monitor is a NodeMCU programmed to ping different targets around my LAN. No firewall etc.
It connects to the router via wifi.
Pings to Ethernet devices on the LAN are fine; and the ethernet devices can all ping all the devices on the network.
Most of my "fixed" devides - WIndows & Linux PC's, various ESP8266 & ESP32 microcontrollers - are assigned fixed IP's in the router.
Pings from the network monitor to WiFI connected devices (Eg 192.168.1.34) fail.
However - when I tried CHANGING the IP address for that device to 192.168.1.28 it BRIEFLY responded to pings; until the change propagated when it once again will not respond.
Strangely the router thinks its a wired device!
on 11-09-2021 11:49 AM
What sort of device is this, does it have its own firewall? The router's firewall is obviously not blocking pings from this network monitor to this device, as it allows others through, unless of course, it sees the pings as part of a network scanning attack.