pfSense propably blocking trafic from TP-Link Deco M9+ to WAN
-
Hi,
I have been fighting and looking up some magic spell to end isolation of my Deco M9+.
It used to work previously when my Internet connection was formed with 4G_modem/router. So basically the picture attached has only changed in that that 4G_modem/router has been changed with fiberONT/pfSense firewall pc.
All traffic from normal desktop machines work nice and well. The who subnet is 192.168.8.0/24
When I start that tedious process of configuring the Decos using the mobile app I can proceed until the the Deco starts to looking up for Internet. It fails.
I have vanilla version of pfSense, nothing extra except pfBlockerNG installed. I am very much of a newbie here in setting up the network. I have tried many configurations, it will propably work if I put the DecoM9 between the ONT and pfSense.
I could live without wireless but my IoT stuff with HomeAssistant are built 99% using wireless connections.
Any clues? Where to look, what to check?
-
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
nothing extra except pfBlockerNG installed
Out of the box pfsense blocks nothing outbound.. If your devices can not talk to the internet - what are they trying to talk too.. pfblocker is quite possible blocking via dns or even a rule to the IP where they are trying to talk too.
Do your wireless devices get an IP from pfsense? If so then your most likely blocking what they want to talk to with pfblocker - how did you set it up, what lists did you use? etc..
What rules do you have on lan1 interface of pfsense? The default like normal lan any any rule - or did you setup your own specific sort of rules.
Connect a laptop or phone or tablet to your wifi - does internet work? Again what are your iot devices trying to talk too?
All traffic from normal desktop machines work nice and well.
Are they using this wifi network?
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
nothing extra except pfBlockerNG installed
Out of the box pfsense blocks nothing outbound.. If your devices can not talk to the internet - what are they trying to talk too.. pfblocker is quite possible blocking via dns or even a rule to the IP where they are trying to talk too.
Do your wireless devices get an IP from pfsense? If so then your most likely blocking what they want to talk to with pfblocker - how did you set it up, what lists did you use? etc..
No, they didn't get IPs.
After taking a healthy walk in the freezing woods I came to conclusion that I must try to provide the DecoM9 main an alternate route via old 4G Router with SIM-card borrowed from another phone, and letting Deco calling home to let my mobile phone discuss with it. Scary.
I set up an old router which did the job. After I removed the temporary routern/internet connection that it looks like the connection stays alive through pfSense. All the Decos are in access point mode and the Main deco creates the Wifi in 192.168.68.0 . When I changed that wifi to same subnet x.x.8.0/24 my both my wired and wireless started chatting each other.
Not very methodical, and I am bit disappointed I didn't find the problem why in the first place DecoM9 didn't find Internet.
What rules do you have on lan1 interface of pfsense? The default like normal lan any any rule - or did you setup your own specific sort of rules.
No rules afaik.
Connect a laptop or phone or tablet to your wifi - does internet work? Again what are your iot devices trying to talk too?
Nope it didn't. This was a bit stupid. I am not sure was it the main Deco that didn't start working until it could call mama in China, after that the Deco created its own wireless subnet. Maybe it was there before but as the subnets were different and I had no routing tables set nothing worked.
Back then before I went outside I saw the main wireless device mac in the switch port, but no traffic. IoT are mainly wifi-temperature metering and remote controlled sockets, home assistant taking note of constantly changing hourly rate of electricity price and turning off/on electric heating based on variables considering price/temperature/particular room. I use mostly tuya based stuff that do not call home thanks to LocalTuya integration.
All traffic from normal desktop machines work nice and well.
Are they using this wifi network?
No they used and still use ethernet.
Thanks for your answer, I think you asked the right questions in this mess of something. .
I still wonder why exactly the M9 didn't get internet connection from pfSense. Why it started working with alternate internet connection and still works after alternate connection was removed.
-
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
No, they didn't get IPs.
Then how could it work??
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
I still wonder why exactly the M9 didn't get internet connection from pfSense.
Are you filtering with anything. You clearly stated your running pfblocker - which you prob have setup not to let it talk to where its mother ship is..
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
No, they didn't get IPs.
Then how could it work??
It couldn't. I overlooked this as phone and laptops here just don't get connected to wifi and I never actually checked it out.
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
I still wonder why exactly the M9 didn't get internet connection from pfSense.
Are you filtering with anything. You clearly stated your running pfblocker - which you prob have setup not to let it talk to where its mother ship is..
Yes it seems so. I don't know why. These 192.168.68.xx IPs look awfully DecoM9'ish. These are from /systemlogs/firewall, but pfblockerng logs are mostly clean from blocking LAN-side of source IP's.
I have DNSBL checked in Firewall, this also wants pfblockerNG to be enabled. I have some lists active (why these are here, they are result of me doing various attempts to block ads in webpages and streaming services)
Really I am a bit clueless. Maybe I will learn something while studying this. I have been using pfSense only for three weeks now and and I am little fascinated by it.
-
@matrikkel So your blocking AWS.. Its quite possible where they are talking is hosted there.
Why don't you turn off pfblocker - make sure it all works. You know what their source IPs are, you could then looking in either pfsense state table under diagnostics see who they are phoning home too.
And simple logging of their dns queries will tell you what they are looking for, etc.
edit: not really sure why an AP would need to phone home to "work" sure to admin it or something.. But it should still do its function of bridging wifi to wire without being able to phone home.
Is the only way to admin it from some website on the internet?
edit: I don't have any Deco to play with - but I do have a lot of iot that phones home.. So 192.168.4.55 is one of my smart lightbulbs.. You can see where its talking to in the state table.
I can lookup who owns those IPs.. And if I do a PTR on that IP, it also shows its a AWS IP.. So for example if you were blocking access with pfblocker to AWS IPs.. Then no your device wouldn't be able to phone home.
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
@matrikkel So your blocking AWS.. Its quite possible where they are talking is hosted there.
Why don't you turn off pfblocker - make sure it all works. You know what their source IPs are, you could then looking in either pfsense state table under diagnostics see who they are phoning home too.
And simple logging of their dns queries will tell you what they are looking for, etc.I'll check this later.
edit: not really sure why an AP would need to phone home to "work" sure to admin it or something.. But it should still do its function of bridging wifi to wire without being able to phone home.
When setting up it starts in router mode and wants to connect internet, for me I couldn't proceed until it had working connection and was able to change the status AP.
Is the only way to admin it from some website on the internet?
Yep you could admin it only mobile app. You could connect the device in local network but not actually do much, afaik you could update firmware in local webrowser, or check system logs and save them locally, but not much anything else. I never actually bought these, I received these from ISP.
Local network admin page, not much to do in here:
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
edit: I don't have any Deco to play with - but I do have a lot of iot that phones home.. So 192.168.4.55 is one of my smart lightbulbs.. You can see where its talking to in the state table.
I can lookup who owns those IPs.. And if I do a PTR on that IP, it also shows its a AWS IP.. So for example if you were blocking access with pfblocker to AWS IPs.. Then no your device wouldn't be able to phone home.
This was good info. I previously set my Decos' into static range of ÍP's assigned by their macs it was easy to filter out their connections from state table.
SSL-connection to Amazon-site. I didn't know what AWS meant, I just included it previous crusade against ads. It is propably through this connection the phone app talks with Decos. I wonder if I close it does the Decos shit out the local network? Maybe the phone app still talks with them through Wifi but time will tell.
-
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
I didn't know what AWS meant
haha - don't take this the wrong way.. But uses often do this sort of thing.. pflbocker is very powerful.. And its main purpose is to block, or limit the allow, etc. If you start randomly clicking shit in it - your going to end up shooting yourself in the foot ;)
To be honest its like giving a loaded gun to toddler - here play with this ;)
Did you add blocking AWS, I first glace it looked like you had selected that - but now looking a bit closer I don't see the check mark so maybe you were not blocking that. Blocking that for sure could break a lot of stuff..
But the state table can be your friend when trying to figure out where things are going or trying to go too, etc.
While pfblocker again is very powerful and sure it can block ads, etc. I just use pi-hole for that, its not as powerful as pfblocker but its more geared towards just that.. And the lists it comes with are pretty safe to only block ads.. So its harder to just click on something that could break your network.
And the query log and click and some of the other eye candy is a bit nicer. I use pfblockers great ability to create aliases, and from geoip lists, etc.. To use directly in my firewall rules. While I let pi-hole block ads..
So client for dns goes to pihole, pihole then asks unbound on pfsense (where I can do other dns filter if I want either in pfblocker or via just host just in unbound directly. Then unbound resolves.
BTW - channel 10 for your 2.4 is horrible choice. with 2.4 you have 3 actually valid choices to use that do not overlap 1, 6 and 11. Use of 10 is going to over lap with both 6 and 11..
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
@matrikkel said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
I didn't know what AWS meant
haha - don't take this the wrong way.. But uses often do this sort of thing.. pflbocker is very powerful.. And its main purpose is to block, or limit the allow, etc. If you start randomly clicking shit in it - your going to end up shooting yourself in the foot ;)
To be honest its like giving a loaded gun to toddler - here play with this ;)
No pun taken. I have seen many winters and every winter I learn that I know even less about everything.
Did you add blocking AWS, I first glace it looked like you had selected that - but now looking a bit closer I don't see the check mark so maybe you were not blocking that. Blocking that for sure could break a lot of stuff..
But the state table can be your friend when trying to figure out where things are going or trying to go too, etc.
As you now say it I started looking and yes AWS is not active. I have only pfB_PRI1_v4 active but I have not checked what lists it has inside.
While pfblocker again is very powerful and sure it can block ads, etc. I just use pi-hole for that, its not as powerful as pfblocker but its more geared towards just that.. And the lists it comes with are pretty safe to only block ads.. So its harder to just click on something that could break your network.
I had pihole running on PiZero for a year or two /w USB HAT so it had wired connection. The memorycard failed so I discarded that and have not offered thoughts for recovery. I have one spare 3B but it's waiting leisure time to being put into Amiga 500 as mc68k emulator (piStorm).
BTW - channel 10 for your 2.4 is horrible choice. with 2.4 you have 3 actually valid choices to use that do not overlap 1, 6 and 11. Use of 10 is going to over lap with both 6 and 11..
Yes I am familiar with frequency overlapping, but Deco setup does not give option to choose them. However there is a tool in phone app to optimize the wifi. Phone app doesn't show channels. I optimized the wifi and went back in to browser and logged in main deco to see did something change. Yes it did.
Wonderful configurability. Here can be seen two ends of the rope. Meanwhile Deco is targeted to common folk and not giving much knobs or levers for people to manage network. As it should be. In the other hand the pfSense with its modules is something like Schrödinger's cat problem for me at the moment. I see the cat but when I am looking it there's no cat.
It works now, I let it be alone for a while and don't touch anything and I did backup all settings into cloud. Thanks for patience.
-
@matrikkel I just found like a 38 page thread on tplink asking about changing the channel.. Reminds of me of tplink and on their switches where you couldn't remove vlan 1 from ports that you wanted in a different vlan.. Took them a couple of years before they fixed that. And then they didn't port it back to older models..
If it were me - I would return them.. If past time to return, sell them on ebay or something to some other sucker.
So you have a Cadillac for your router, but most of your network is running on what amounts to a pinto with no options, the ones where if you bumped from the back they exploded.. What was that early 70's
If all your APs are wired, you don't need "mesh" you prob be better off just getting some cheap wifi routers and using them as AP.. at least then you could set the channels ;)
Doesn't even look like these deco's support wpa3..
Seems like your pretty invested - but if you are wanting something more then plug it in and hope it works.. You should change to something else..
-
@johnpoz said in pfSense propably blocking trafic from TP-Link Deco M9+ to WAN:
If all your APs are wired, you don't need "mesh" you prob be better off just getting some cheap wifi routers and using them as AP.. at least then you could set the channels ;)
Doesn't even look like these deco's support wpa3..Seems like your pretty invested - but if you are wanting something more then plug it in and hope it works.. You should change to something else..
Yes, every AP is wired. I got the decos free from ISP - have not paid a single euro for them. I went into trap of people praising how easy they are work with... My pfSense is build on old industrial itx-motherboard running 3Gb and DualCore T7200 cpu. That I dug out from old equipment destined to rubbish bin, but it had 3 gigabit ethernet ports. It had 1.5Ghz Celeron Cpu but I managed to get a T7200 from China for 7€. Seem to be running at 10-13% cpu load even when there is pretty much traffic. Time will tell.
I have mostly invested time for learning and creating physical network.