[SOLVED] CP not working (1.2.3) - passes ALL traffic without auth

luken

Thanks for the reply.

APs do NAT.

192.168.1.0/24 <-> AP1 (10.22.21.3) <-> Gateway (10.22.21.1)

..but 10.22.21.3 is NOT on allowed list, so users should be redirected to CP.

Please correct me, if I'm wrong..

Gertjan

Hummm.

My C.P. IP (on Opt1) is 192.168.2.1
I have 5 Ap's : 192.168.2.2 - 3 -4 - 5 - 6
The DHCP server running on the C.P. is throwing out IP's on requests from 192.168.2.10 up untill 192.168.2.200
My AP do not NAT neither.
It works a published.

YOU :
@luken:

192.168.1.0/24 <-> AP1 (10.22.21.3) <-> Gateway (10.22.21.1)

192.168.1.0/24 is the IP set given to your clients ??
Your clienst should have an IP that runs from 10.22.21.10 (or more) up untill 10.22.21.254 - the 192.168.1.0 seems wrong to me here.
Who converts from 192.168.1.0/24 to 10.22.21.1 (btw : this is called NATting  :D)

luken

@Gertjan:

192.168.1.0/24 is the IP set given to your clients ??
Your clienst should have an IP that runs from 10.22.21.10 (or more) up untill 10.22.21.254 - the 192.168.1.0 seems wrong to me here.
Who converts from 192.168.1.0/24 to 10.22.21.1 (btw : this is called NATting  :D)

Yes. Once again:

wifi-client1 (192.168.1.53 via DHCP )---<>
                                                           (192.168.1.1) AP1 (NAT) (10.22.21.3 static)  <> (10.22.21.1) Gateway
wifi-client2 (192.168.1.78 via DHCP )---<>

Wi-fi clients network shouldn't be a problem when they are translating on AP.. (Am I wrong?)

Today I checked again. Strange, but sometimes wifi client is redirected to login page, sometimes - not.  ???
Please, help me diagnose this.

GruensFroeschli

The CP will show up for the first client to authenticate.
After that the MAC/IP of the AP is authenticated and all further clients can just go online.

Wi-fi clients network shouldn't be a problem when they are translating on AP.. (Am I wrong?)

Yes you are wrong.
NAT breaks the CP functionality.
(This is not a pfSense limitation. This is just how CPs work)

luken

Many thanks GruensFroeschli! :) I undarstand now.

What should I do to auth client connecting from APs (WRT320N) on pfSense?

Thanks again.

EDIT:
PS: Since this is not CP-related problem I'm not sure is this a right place for my topic. Anyway modarators decide :)

0tt0

@luken:

Many thanks GruensFroeschli! :) I undarstand now.

What should I do to auth client connecting from APs (WRT320N) on pfSense?

Thanks again.

EDIT:
PS: Since this is not CP-related problem I'm not sure is this a right place for my topic. Anyway modarators decide :)

You should use an access point and not a NAT-router which you are using now, yours just happen to have an built-in access point. If your router can be set to AP mode (some can) use that (will bridge clients onto local net) otherwise buy a real access point and add that to your network. Now your built-in access point in the router is bridging clients onto the local net behind the router itself.

Apart from this issue with router/ap, you may also have the same problem that I have with CP, providing that you're not mistaken in your info regarding allowed list. Indeed you should see logon page at least once.

Some of my posts regarding my problems with CP: http://forum.pfsense.org/index.php/topic,20206.0.html

Cheers,

capnsteve

You can do this just fine with a WRT320N, I'm using one on my home pfSense server.  Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range.  Works without issue for me.

GruensFroeschli

@capnsteve:

You can do this just fine with a WRT320N, I'm using one on my home pfSense server.  Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range.  Works without issue for me.

In your case you must be routing and not NATing.
If you NAT it wouldn't work.

capnsteve

@GruensFroeschli:

@capnsteve:

You can do this just fine with a WRT320N, I'm using one on my home pfSense server.  Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range.  Works without issue for me.

In your case you must be routing and not NATing.
If you NAT it wouldn't work.

I was providing specific-case instructions from my own experience.  In the standard issue Linksys firmware you just disable the DHCP server and set it to do DHCP forwarding pointed at the pfSense box.  That will also disable the NAT leaving the routing functions.

0tt0

@capnsteve:

@GruensFroeschli:

@capnsteve:

You can do this just fine with a WRT320N, I'm using one on my home pfSense server.  Just disable the DHCP server on the Router and set it up with a static IP outside pfSense's DHCP range.  Works without issue for me.

In your case you must be routing and not NATing.
If you NAT it wouldn't work.

I was providing specific-case instructions from my own experience.  In the standard issue Linksys firmware you just disable the DHCP server and set it to do DHCP forwarding pointed at the pfSense box.  That will also disable the NAT leaving the routing functions.

In your specific case that may be correct but generally no. Many SOHO routers have the ability to shut down DHCP service but that don't have to imply that NAT is also turned off, it's a separate setting, if available.

Neither is the same workings as a standard bridging AP though. Bridging is not the same as routing and in general terms they are very different, the former is data link and the latter is network.

Cheers,

luken

Thanks.

I've just disabled DHCP server on wrt320n (and also wrt610n) and changed plug with inet source from WAN to LAN.
IP list based pass through -> mac list (for wired network)

CP works like a charm. :)

SOLVED.