Network topology:
I can ping the wifi device from the server, but not from my desktop or laptop computer. I have no clue how this is possible, it has been messing with my brain for the last couple of weeks and I just can’t figure it out. Hopefully one of you has an idea.
Are you using DHCP to configure the desktop & laptop? If so, what gateway and subnet are you serving to clients?
Post your routing table for the desktop, laptop, and server. (netstat -rn on Windows and ip r on Linux).
Well, since it seems your Server is on a different network, you’ll need to allow ICMP in both directions (DZM<->LAN) respectively. this needs to be done on your pfsense box.
Reread the post. Ping across subnets is working. Ping within 10.0.0.0/24 is not. Pfsense should not be in play at all.
–
@Derkades can laptop and desktop ping each other?
It still could if ICMP isn’t allowed from LAN <-> LAN.
If intra-subnet traffic is touching the router, something is wrong.
How “dump” is that switch?
It’s a netgear prosafe gs108 (non plus) switch that has no IP address, layer 2 only
Yes, that works.
I should add, it’s not just ICMP. The wifi device runs a webserver that I cannot access from the laptop or desktop, but when I use sshuttle to connect through the server it works fine.
Did you check the arp table from all devices ?
On the desktop
Address HWtype HWaddress Flags Mask Iface
172.17.0.3 ether 02:42:ac:11:00:03 C docker0
172.17.0.2 ether 02:42:ac:11:00:02 C docker0
pfsense.slot ether d8:d3:85:f6:9a:2c C enp34s0
10.0.0.146 (incomplete) enp34s0
10.0.0.109 (incomplete) enp34s0
10.0.0.116 ether 98:3b:8f:bf:62:ba C enp34s0
pfsense.slot is the router (obviously) and 10.0.0.146 is the device I can’t connect to. I’m not sure what it means that the arp table shows (incomplete). It does show a mac address in the router for 10.0.0.146, 98:f4:ab:f2:8d:80
Yes, subnet 10.0.0.0/24 default gateway 10.0.0.1. DHCP range 10.0.0.2-10.0.0.254
default via 10.0.0.1 dev enp34s0 proto dhcp metric 100
10.0.0.0/24 dev enp34s0 proto kernel scope link src 10.0.0.141 metric 100
169.254.0.0/16 dev virbr0 scope link metric 1000 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-2513d450bcb9 proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-8c27b5d04956 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-9efa184c5987 proto kernel scope link src 172.20.0.1 linkdown
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
Not much out of the ordinary I don’t think, one primary intel NIC and a couple of interfaces for docker and qemu.
Well that makes sense why it can’t connect to it if it doesn’t understand the mac address. Not sure why that would happen though. Do you have another switch you can test?
Since the server connects through the same switch, I’ll try swapping ports for the server and computer.
EDIT: Still same result. I’ll swap the switch with a (managed) switch I have laying around.
EDIT 2: No luck 
How’s 10.0.0.146 configured? e.g. what kind of device is it, what’s it running?
Make sure that they ALL belong to the same subnet mask, ie /24.
Likely an IP subnet (typo?) issue on the WiFi device. Of course it could be a bug in the IP stack or some security setting.
It’s an ESP8266 microcontroller (inside a Shelly switch)
I think your default gateway should be the IP address of the router (aka pfsense virtual machine) and not the hypervisor host which it runs on (in your diagram the machine called “server”).
What’s the IP Address of the PFSense VM?
Side note - Are you running PFSense as a container?
The network stack inside esp8266 can be weird in my opinion.
You could perhaps ssh into the wifi router and run tcpdump -nv icmp and host 10.0.0.146.
And see if the reply is happening but is somehow wrong, or not happening at all.
It is this way.
LAN 10.0.0.1
Server network 10.0.1.254
Guest network 10.0.4.1
IOT network 10.0.5.1 (not in use currently)
Other network 10.0.6.1
Not sure that’s even possible? I use QEMU/KVM on Ubuntu