Can not connect external ap
-
I am having a problem setting up my external ap. its a linksys wr54g (something like that) it used to be a router i when in and turned off dhcp all port fowarding changed the interface ip to 172.30.1.125 set it to dhcp (not sure if it should be static) pluged it into my opt1 interface now called wireless. some information is shown below if im missing anything please let me know also i have the book if there is something i should look at in it.
under Status: interface it shows
interface opt1:
wireless firewall rule
-
I got the impression that you wanted the pfSense box to act as the DHCP server for the wireless network. If so, you have at least a couple of problems.
-
The pfSense wireless interface needs to have its type (under General Configuration) changed from DHCP to Static. (This interface should not be getting its address by DHCP. It will share an IP address with the pfSense LAN interface because its bridged with the LAN interface.)
-
The DHCP firewall rule is too restrictive. It won't allow a DHCP client to talk directly to the server to acknowledge its address assignment or renew an existing DHCP lease. The two following rules work for me:
UDP * bootpc 255.255.255.255 bootps *
UDP * bootpc LAN address bootps *
where bootpc and bootps are aliases for 68 and 67 respectively.You haven't mentioned what sort of access restrictions (if any) you want to apply to the wireless clients. Depending on this policy matter, the configuration under discussion here may not be the best. (For example, this is probably not the way to go if you want to block wireless clients from accessing your LAN systems.)
-
-
yes i do want my fpSense box to act as the DHCP server.
if i change the configuration to Static will i just use the ip address i gave to the wireless router to connect to it (for management)
not really sure that i understand the firewall rules. (nevermind i understand thanks) What type does the 255.255.255.255 need to be?
For wireless i want them to be able to access my lan since not really worried about someone breaking into my network.im new to this i have only had this box up for one day.
so i changed it to static and then changed the firewall settings and i got "limited or no connection activity" unlike the "connected" i got before. maybe im not doing something right with the firewall.
-
if i change the configuration to Static will i just use the ip address i gave to the wireless router to connect to it (for management)
Provided the wireless router IP address is on your LAN subnet, it will respond to an ARP (Address Resolution Protocol) request asking Who has address <ip address="" you="" assigned="">? and the ARP requestor will then know the MAC address of the router.
If your LAN IP is 172.30.1.7/24 and the wireless router IP address is 172.30.1.125/24 then they are both on the same subnet (first 24 bits of the IP address is the same for both).What type does the 255.255.255.255 need to be?
I don't understand the question. The 255.255.255.255 in the firewall rule is the IP broadcast address. On startup, a DHCP client will send its DHCP request to the IP broadcast address (auto configuration, it doesn't know the IP address of its DHCP server) in the hope that someone will respond. Once someone responds it knows the IP address of its DHCP server and thereafter can use its IP address.</ip>
-
the type for the 255.255.255.255 but i got it figured out.
so my issue is not getting internet.
-
so my issue is not getting internet.
I'm not telepathic. I'll need a bit more to work with than that.
Not getting the internet from where? Can you access the internet from the pfSense console (e.g. # ping www.google.com)? Can you access the internet from a system connected to your LAN interface? (Do you have something connected to the LAN interface? Is the LAN interface up? (It needs to be for the bridging to work.)
It might help to have a diagram of your network configuration. It doesn't need to be fancy.
-
sorry it was late and very out of it last night.
i have internet though everything but wireless.
I am able to connect to AP and get a ip from the pfSense box DHCP server. My gateway it turned to my pfsense box ip i just think its the allow traffic rule im not doing right. -
It wasn't sure from what you said, but where on the wireless router did you plugin the cable to the pfSense box? (it should be the switch side)
See here: http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
-
yeah its plugged in on the switch side. :o
-
I am able to connect to AP and get a ip from the pfSense box DHCP server. My gateway it turned to my pfsense box ip i just think its the allow traffic rule im not doing right.
That's good progress.
Have you checked the pfSense firewall log? (Web GUI: Status -> System logs, click on the firewall tab)
From the wireless side, can you ping the pfSense LAN IP address? the pfSense WAN IP address?
Is the allow traffic rule the one you originally posted in this thread? I have a similar rule in my pfSense box EXCEPT the source is WLAN Subnet. (In my configuration, WLAN is bridged to LAN so I guess WLAN Subnet would be the same as LAN subnet but maybe not. Perhaps this rule is a harmless relic of WLAN's previous life as an independent subnet.)
-
i can not ping the pfSense Lan IP .
for the log not really sure what im looking for i see a lot of things blocked from the wan and it looks like everything from the Wireless was allowed. although the only thing comming from the wireless is the actual AP it's self.
could it be something in the AP.
i just noticed that i still had the internet setup in the AP as Automatic Configuration - DHCP. does it need to be static? if so what do i chose for the IP address. just anything on the Lan Subnet?
What it is now.
What i think it might need to be.
-
If you are just using the wireless router as an AP, you want to totally disable the WAN interface if possible. I know some firmwares do not let you do that. If you are in that boat, give the WAN interface a bogus IP you will never use, like 192.168.222.222 or somesuch. However, if the clients are getting IPs from the pfsense, their packets should be going to it, so the WAN configuration on the AP is not likely to matter much.
-
okay good to know i just cant figure out why i can connect to it and the DHCP server but i cant access the web. though wireless.
i can ping my computer on the wireless though a computer on the LAN though. but i cant ping my computer on lan from my computer on wireless.
i can also connect to the computer remotely over the LAN. -
I reread the first post or so. Do you really still have the AP plugged into a separate OPT1? If so, why? You are bridging the wireless segment to the LAN with no restrictions, so why not just plug the AP into the LAN and be done with it?
-
18.4.3. Bridging wireless to an OPT interface
If you want more control over your wireless clients, adding an OPT interface to pfSense for your access point is the preferred solution. If you wish to keep your wireless and wired networks on the same IP subnet and broadcast domain, you can bridge the OPT interface to your LAN interface. This scenario is functionally equivalent to plugging the access point directly into your LAN switch, except since pfSense is in the middle, it can filter traffic from your wireless network to provide protection to your LAN hosts.
You can also put your wireless network on a dedicated IP subnet if desired, by not bridging the OPT interface on pfSense and assigning it with an IP subnet outside of your LAN subnet. This enables routing between your internal and wireless networks, as permitted by your firewall ruleset. This is commonly done on larger networks, where multiple access points are plugged into a switch that is then plugged into the OPT interface on pfSense. It is also preferable when you will force your wireless clients to connect to a VPN before allowing connections to internal network resources.From the book it's really just a control thing. from what i read.
-
you're missing the key point though: if you have a default "allow any" rule, there IS no extra control, so you are complicating your setup for no real gain.
-
Maybe the "allow any" rule is there for the present to try to get the configuration working.@pman860507:
i can ping my computer on the wireless though a computer on the LAN though. but i cant ping my computer on lan from my computer on wireless.
What report do you get when you ping the computer on lan from computer on wireless?
-
Maybe the "allow any" rule is there for the present to try to get the configuration working.@pman860507:
i can ping my computer on the wireless though a computer on the LAN though. but i cant ping my computer on lan from my computer on wireless.
What report do you get when you ping the computer on lan from computer on wireless?
I get a 100% reply.
-
OK, so your earlier report that you can't ping a computer on the LAN from a computer on the wireless is no longer current?
-
OK, so your earlier report that you can't ping a computer on the LAN from a computer on the wireless is no longer current?
sorry i miss read that from the wireless to lan computer i get no reply. from lan computer to wireless computer i get 100% reply.
you're missing the key point though: if you have a default "allow any" rule, there IS no extra control, so you are complicating your setup for no real gain.
i understand what you are saying and it does make since. if i put the wireless on the lan do i need to bridge it with anything or just plug it in and good to go?
nvm thats a dumb question once i think about it im going to hook the wireless into the Lan. if i ever need to add some restrictions to it i might move it back.and amazing enough it worked perfectly thanks a lot for all your help many next time i have to do this kind of stuff i will be more familiar with the firewall rules.
