Pfsense blocking connections through Office Extend AP. Need help finding block and creating an allow rule.

rienge01

Hi! I just switched to Pfsense running on a new Protectli so I’m new to this. Previous setup was ddwrt.
PF is somehow blocking associations to my Cisco office extend AP. I’ve tried finding a block in the logs with no luck. Tried searching Google for people with similar, no luck. Went back to ddwrt, it worked again. So brand new Pf setup, it’s denying Client connection attempts, even though the ap successfully joins the corporate controller and broadcasts the SSIDs.

Thanks in advance!

Gertjan

@rienge01

Hi,

When installed, pfSense blocks nothing on it's LAN interface. All traffic is allowed.
When a client connects to your LAN network - it works, right ?

When the client connects to your "the ap successfully joins the corporate controller", what was the IP it got ? Network ? The gateway ? DNS ?

If your ddwrt was using a LAN like 192.168.1.1/24, with the DHCP server activated on LAN, you could swap the ddwrt with pfSense and it would work out of the box.

rienge01

@gertjan Thanks for your response. You bring up some good questions.

Yes, all of my normal clients are working great! Internal and internet access as well as software VPN to work, all works perfect.

I'm using the same private network internally as I was with my previous router 10.7.7.0/24 which is served by a pihole running both DHCP and DNS and unchanged from the ddwrt setup. I have DHCP v4 and v6 shut off for the LAN int in the PF, and I have the pihole address configured as the DNS server in the PF general settings.

So the OEAP gets 10.7.7.209, which is correct, and gets the pF as its gateway from DHCP just as all other clients. Layer 3 seems to be working fine because it gets out to the controller on the public internet and successfully joins.

Maybe I'm missing a NAT or VPN passthrough that is automatically done with ddwrt and other consumer-grade routers?

Thanks for the help !

Gertjan

@rienge01 said in Pfsense blocking connections through Office Extend AP. Need help finding block and creating an allow rule.:

Maybe I'm missing a NAT or VPN passthrough that is automatically done with ddwrt and other consumer-grade router

NAT is an incoming traffic thing. Not related to outgoing traffic.
VPN = all VPN outgoing traffic is passed by default.

stephenw10

So is all traffic from clients on the OEAP supposed to go over a VPN to a remote office?

And that VPN is not working?

The biggest difference between pfSense and SOHO routers in a default install is that pfSense randomises the source port for all outgoing connections through it for security. However some older protocols or devices assume a fixed port and fail. That includes some IPSec connections.

So you may need to add an outbound NAT rule with a static port set for traffic from the OEAP to the remote side.

Steve

rienge01

@stephenw10

Yes! Any client that joins the OEAP SSID will go through a tunnel to the corporate office. We deploy these as an easy way to have an always-on VPN to main campus for people working from home. So, I'm trying to do a VPN through, or "behind" the pfsense.

Cisco officeextend overview:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Cisco_Aironet_1815_Teleworker_Access_Point/b_Cisco_Aironet_1815_Teleworker_Access_Point_chapter_01.pdf

I think you're on the right path. I made a static outbound NAT based on your suggestion. (I don't know a good way to write it, so I'll just try this)

int=WAN source=10.7.7.209/32 srcPort=5246:5247 dest=* destPort=* NATaddr=WAN address NATport=* Static port=yes

Didn't fix it.

So I added a port forward as well, so the controller would always get back to the AP:

int=WAN. Protocol=UDP. SrcAddr=[public addr of controller] SrcPorts=* DestAddr=WANaddr DestPorts=5246-5247 NAT_IP=10.7.7.209 NATports=5246-5247

still not working.

stephenw10

Try removing the source port from that outbound NAT rule. You would not normally ever set that. You might set the destination port if you know it but as a test just static NAT all the traffic from the OEAP. You might have to clear any open states from it to allow it create new states using the new rule.

Are you able to see if the OEAP is failing to bring up it's tunnel?

Steve

rienge01

@stephenw10

Yes, yessss... YEEESSSS!!!!

You're the best, Steve! That did it. Fantastic.

T h a n k Y o u !!

stephenw10

No worries!

You can make that rule more specific to the VPN if you need to but your probably don't.

Steve

rienge01

@gertjan said in Pfsense blocking connections through Office Extend AP. Need help finding block and creating an allow rule.:

NAT is an incoming traffic thing. Not related to outgoing traffic.
VPN = all VPN outgoing traffic is passed by default.

This post it is incorrect and misleading for any readers in the future. NAT is applied outbound to your traffic to translate private addresses into your public WAN address. Port Forwarding is used inbound to map a specific tcp port to a specific internal private address.

stephenw10

Both are forms of NAT, translating IP addresses/ports. pfSense just uses the term port forwarding for inbound.

Steve