Cannot access AP web ui

the other

@nopfsense
Hey there,
Just a shot in the dark...
You said you changed the fixed IP on your AP.
Have you tried doing that on pfsense (interface, dhcp, host override bottom of page, there enter ap's Mac and wanted ip...

What exactly do you mean by "now interface is not responding " any more??

Gertjan

@nopfsense said in Cannot access AP web ui:

and AP on opt3 ip 192.168.22.3-254

What do you mean with 168.22.3-254 ?

The pfSense interface OPT3 : ste it to 192.168.22.1 netmask /24
No gateway.
Like this :

Set the DHCP server setting, the pool, to for example :

On the AP, attached to network OPT3 set the static IP of the IP like this :

Take note :
If there is a WAN interface on the AP, don't use it / disable it. Use one of the LAN switched ports to connect to pfSense.
DNS == Gateway == interface IP OPT3 of pfSense.
Give the first AP the IP 192.168.22.2 - the next IP .3 etc.

In short : set up static IP (IP, mask, gateway and DNS) and you'll be fine.

rcoleman-netgate

@nopfsense said in Cannot access AP web ui:

To recap;
I setup the pfsense box with wan on interface opt0, lan on opt1 192.168.11.1 and AP on opt3 ip 192.168.22.3-254 (have also tried out of despiration 192.168.22.2-254, it made no difference)

Did you open the rules up on those interfaces to allow 443 (or whatever TCP port you moved the GUI to)? Often this is a missed step.

Additionally unless you have a very specific use-case for it you probably want to keep your DHCP on the firewall.

nopfsense

@gertjan ok thanks went back and checked all that, i think everything matches

WAN not configured

IP address reserved under DHCP server for AP_01 interface as 192.168.22.2

So this part works fine. Thanks for helping me get this part straight.

I still can't access the AP on the 22.2 network from the 11.1 network.

I am assuming that traceroute is telling me that there is no problem with making a connection because it ignores all rules?

However i believe I've made the rules for interfaces LAN and AP_01 AS wide open as possible?

lan rules 2.JPG

Ipv6

rules lan ipv6.JPG

Ipv4
LAN ipv4.JPG

I can't get to 192.168.22.1 pfsense webgui on the AP_01 interface. Whilst connected to 192.168.22.53

Or 192.168.11.1

Do you have any further ideas?

nopfsense

@the-other hi, I have tried adding the AP under DHCP static mapping for this interface under The DHCP server for the AP interface, his that what you mean?

nopfsense

@the-other also by interface i mean, before if connected to the AP on the 192.168.22,x net i could get to the pfsense web gui interface... but no longer

rcoleman-netgate

@nopfsense what interface is the 11.0/24 network on?

and 22.0/24?

what are the Firewall rules for each network?

Gertjan

@nopfsense said in Cannot access AP web ui:

I can't get to 192.168.22.1 pfsense webgui on the AP_01 interface. Whilst connected to 192.168.22.53

What are the 192.168.22.1 ( AP_01 ?) firewall rules ?

Gertjan

@nopfsense said in Cannot access AP web ui:

I have tried adding the AP under DHCP static mapping for this interface under The DHCP server for the AP interface, his that what you mean?

Not need as the AP will never initiate a DHCP request : it has a static IP set up.
But the DHCP static mapping on pfSense is still useful, as you now have a host name for your AP, and you can use this name instead the IPv4.

Btw : your LAN firewall rules are fine, it's not the LAN firewall that blocks you from accessing the AP on 192.168.22.2 from LAN.
IPv6 (rule) is not needed if you do not use IPv6.

nopfsense

@gertjan Ok, good to know, thanks, so it's the AP_01 rules that block access to the AP? But the rules look ok? So why can't i access the AP from the LAN?

nopfsense

@rcoleman-netgate hi. LAN on opt1 and AP_O1 on opt3.

Opt1

LAN opt1JPG.JPG

Opt3

AP_01 opt3.JPG

Gertjan

@nopfsense said in Cannot access AP web ui:

so it's the AP_01 rules that block access to the AP?

No. Never.

Read Docs » pfSense software » Firewall

this is the important word :

"enters" means : traffic going into the pfSense device.

So, all traffic coming into (like entering) is filtered by the firewall.

When you initiate a connection from a device on your LAN interface, and you want to connect to a device on some other local (or remote !) , like AP_01 interface, the traggic enters the LAN interface, and is filtered by the firewall.

Then, the traffic is 'in' pfSense, and pfSense is a router and knows that the traffic destinated for 192.168.22.x/24 has to be placed on the AP_01 interface to reach a device on the 192.168.22.x network.
When doing so, your traffic is only filtered by one interface, the LAN interface, using the LAN firewall rule set.
And not the AP_01 firewall rule set, because, again, only incoming traffic is filtered, not outgoing traffic.

Of course, the AP will send info back. You could say : that's incoming traffic for the interface AP_01 !?
Noop.
You are now very close to discover what a state-full firewall actually is, as explained on the page mentioned above.

There is an exception : read ```
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html but don't worry : write it on the wall : "Whatever happens, never ever use floating rules set" and you will be fine ;)

nopfsense

@gertjan Ok, thanks i had a read and I'm not sure if I'm any closer to finding the answer, on other forums they suggest that local firewalls should be disabled, which they are, windows Defender is off for domain and local.

I've factory defaulted the pfsense box, now LAN is on 192 168.10.1

Wide open rule on interface AP_001

Can ping 192.168.10.1

But something in my view strange is happening when i ping 192.168.22.1

wtf ping.JPG

I get a reply from 192.168.1.24 that it's unreachable. That's odd? There is no interface with with that address range. On the pc or the pfsense box.

ARP table pc LAN.JPG

Is this a clue?

johnpoz

@nopfsense unreachable normally means there was no answer to the arp.

example if I ping some IP that doesn't exisit.

You can see that my machine was arping for that - but got no response

You can not arp for stuff that is not on your same local network.. You pinging a IP outside your network would be sent to your router (default gateway, pfsense)..

Gertjan

@nopfsense said in Cannot access AP web ui:

I've factory defaulted the pfsense box, now LAN is on 192 168.10.1

Not a real issue, but after a reset LAN would be 192.168.1.1/24.

Screenshot the settings of your LAN and AP_01 interface settings please.
Both have a /24, right ?

Both have an empty = "None" here:

Right ?

Who is 192.168.1.24 ?

johnpoz

@gertjan yeah who is 192.168.1.24? And why is he answering at all, if on the 192.168.10 network??

I would think maybe you have multiple networks on the same actual L2?

nopfsense

@gertjan yes, both have none in upstream

johnpoz

@nopfsense and what exactly are those interfaces plugged into?

What is this 192.168.1.24 device?

nopfsense

@johnpoz hi, there is nothing connected to WAN a win10 pc laptop is connected to the LAN 10.10 and the AP to AP01 22.2 that's all. laptop wifi is turned off. So i do not know what this 192.168.1.24 is. The laptop is receiving the 10.10 ip from pfsense. 1.24 doesnt show in the ARP Table settings on the laptop or the pfsense.

nopfsense

@johnpoz ok, so a ping to 192,168.22.1 or 22 from 192.168.10.10 would go to 192.168.10.1, and then should be forwarded to 192.168.22.2 as both networks/interfaces have allow all protocols rules?

Or am i incorrect?