Anyone else running a WiSP and using pfSense?

luke240778

Hey guys, i am hoping to get some info or just a chat with some other people in a similar situation to me.  I am from Australia, and i live in Brazil.  Myse lf and a partner have started a WiSP here, which we are hoping very shortly to have our whole city (smallish, around 5 square Kilometers).

We are using some fantastic Wireless equipment from Ruckus Wireless, and i am using pfSense 2.0-RELEASE as my gateway/firewall etc..

What i would like to know is what do you guys use as far as software to manage clients, payments and all that.  Also, Network administration.. I would love to know what tools or software i can use to troubleshoot any networking problems that my customers have.  I already have a few (all connected to us via 2.4ghz directional antennas) who are having slowness problems with general web browsing, and others are not. Traffic graph shows that i have plenty of available bandwidth at the times the people are complaining.. so could pfSense not be giving out all the available bandwidth? or is it an antenna problem?  They all have very good signal and connection to my towers.

SO basically i am after assistance is knowing how to properly troubleshot these types of issues, and hopefully find out what other WiSP's are using as far as client management software and go from there.

Thanks in advance.

ericab

how many users are connected at one time to the ap's that are giving poor performance ?

chpalmer

What is the transport method between your router and your tower radio's?

Keep in mind that 2.4gHz is a very busy band. Everything from Microwave ovens, some cordless phones, bluetooth, besides wireless networking reside in and around these frequencies.

luke240778

@ericab:

how many users are connected at one time to the ap's that are giving poor performance ?

Currently have 2 towers each with an AP and a PTP.  These AP's can handle 100 concurrent conections.  My first one i currently have 58 conected, the second i have 18 connected.  Bear in mind that of that 58 connected, i have around maybe 10 that are complaingin that the internet is bottlenecking, oscilating alot.. and then others that are connected are telling me hoe got is it.. We give our clients a 2mb down/1mb up connection.

luke240778

@chpalmer:

What is the transport method between your router and your tower radio's?

Keep in mind that 2.4gHz is a very busy band. Everything from Microwave ovens, some cordless phones, bluetooth, besides wireless networking reside in and around these frequencies.

Basically, the first tower is connected directly into my network via CAT5 cable (its on the roof of my office) and the second tower, which is around 1500meters away is conected via PTPs (the main one being conected to my network via CAT5, the other at the second tower)

As far as i can see from using inSSIDer, there are other networks around but our AP's auto select the best channel which from looking at seems to be uncongested.

Just for the record, our AP's are: Ruckus ZoneFlex 2741
And our PTP's are: Ruckus ZoneFlex 7731

dhatz

@luke240778:

Just for the record, our AP's are: Ruckus ZoneFlex 2741
And our PTP's are: Ruckus ZoneFlex 7731

Hi, did you have specific reasons for choosing Ruckus gear for your WISP "last-mile" setup? FWIW I think Ruckus products are great, however it seems that most small-/mid-sized WISPs around the world typically deploy Mikrotik and Ubiquity gear.

luke240778

@dhatz:

@luke240778:

Just for the record, our AP's are: Ruckus ZoneFlex 2741
And our PTP's are: Ruckus ZoneFlex 7731

Hi, did you have specific reasons for choosing Ruckus gear for your WISP "last-mile" setup? FWIW I think Ruckus products are great, however it seems that most small-/mid-sized WISPs around the world typically deploy Mikrotik and Ubiquity gear.

'
We did alot of research and testing of all these and none of the others perform, anywhere near as good as the Ruckus.  The main benefits being the larger Backhaul capabilites, More users per radio, simple to install and setup, Beamforming.. etc.  The Ruckus equipment just works fantastically and is very simple to setup.  From talking with someone at Ubiquity, i was told that we could only really get around 30 simultanious connections per radio.. and its 100 with Ruckus currently, and will be 250 with the next firmware upgrade in a couple more weeks.

dhatz

As I wrote in my previous post, I certainly agree that Ruckus performs great, but the other two seem to be primarily geared towards the small-/medium-size WISP niche, and a lot of the necessary functionality you asked for (e.g. managing clients, payments etc) is either built-in or readily available from 3rd party software.

I'm a bit surprised that Ubiquity told you that their gear can only get 30 users per AP, because they're marketing their proprietary "AirMax" technology which reportedly supports ~100 clients per AP, as long as both AP and all clients support it.

luke240778

@dhatz:

As I wrote in my previous post, I certainly agree that Ruckus performs great, but the other two seem to be primarily geared towards the small-/medium-size WISP niche, and a lot of the necessary functionality you asked for (e.g. managing clients, payments etc) is either built-in or readily available from 3rd party software.

Do you know of any of these 3rd party softwares that are good?  I am currenly using a FreeRADIUS server for authentication, with daloRADIUS for webgui, but it doesnt seem to be that good.. Freeside is another i have heard of but i can't even get it installed and working after about a month of trying..

@dhatz:

I'm a bit surprised that Ubiquity told you that their gear can only get 30 users per AP, because they're marketing their proprietary "AirMax" technology which reportedly supports ~100 clients per AP, as long as both AP and all clients support it.

The main issue with Ubiquity was on the backhaul, it just couldnt support where we are needing to go. we  needed to go with carrier class gear to support the amount of clients and bandwidth we are aiming at.. Going with Ubiquity gear for us just meant we would need to swap it out for Ruckus later on anyways, so we went with Ruckus from the get go.

Are you also a WiSP dhatz?  If so what kind of setup are you using?

dhatz

No, I don't run a WISP, but I was involved in related work a few years ago.

luke240778

Ok great, would love to hear and ideas for software for user management that you might know that works well.

dhatz

You could check Radius Manager (http://www.dmasoftlab.com/) but keep in mind that certain key features are NAS-specific. E.g. Radius Manager has a feature called "instant access service" that allows a user to create a Hotspot-account on the fly, after paying first. But for this feature to work, one would obviously need to add certain sites to captive portal's walled-garden, incl. wildcard domain matches for *.akamaiedge.net servers.

Check the filter by hostnam/fqdn threads to understand the issues involved. Latest pfsense2 has a daemon that resolves hostnames into IPs periodically, but I'd have to check to see if CP can be configured to allow traffic to the entire akamai's IP range (if you plan to use a payment gateway that uses it).

bonnecomm

I run a WISP and we're about to try pfSense 2.0-Release. There was a bug in pfSense 1.2.3 where it didn't like our MikroTik Quad-NICs, but 2.0 doesn't appear to have that problem.

luke240778

@dhatz:

You could check Radius Manager (http://www.dmasoftlab.com/) but keep in mind that certain key features are NAS-specific. E.g. Radius Manager has a feature called "instant access service" that allows a user to create a Hotspot-account on the fly, after paying first. But for this feature to work, one would obviously need to add certain sites to captive portal's walled-garden, incl. wildcard domain matches for *.akamaiedge.net servers.

Check the filter by hostnam/fqdn threads to understand the issues involved. Latest pfsense2 has a daemon that resolves hostnames into IPs periodically, but I'd have to check to see if CP can be configured to allow traffic to the entire akamai's IP range (if you plan to use a payment gateway that uses it).

Thanks for this.  I have actually contacted them to do a demo.  They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now..  Can i somehow use both Mikrotik and pfSense?

dhatz

@luke240778:

Dont be too quick to try pfSense 2.0-RELEASE.. my captive portal worked perfectly before the upgrade to 2.0-RELEASE.. now i am having people bypass the CP and straight onto the net.. big bug in my opinion.

I've noticed you posting about having problems, but IIRC you were just using the MAC-passthrough feature and manually adding/removing MACs.

You'll need to provide more info about your config and ipfw settings (/tmp/ipfw.cp.rules, ipfw show, ipfw table all list), for anyone to attempt a diagnosis.

luke240778

dhatz i am not sure what you are saying.. dont know what those ipfw commands you mention are.  I have posted about this in another thread i mentioned.. but no one assisted, just someone else saying they have also got the same problem.

if i run: /tmp/ipfw.cp.rules it tells me i dont have permission (logged in as root)

ipfw table all lsit i get nothing.. it just goes to a new prompt..

ipfw show and i get:

00002  4332989  5006773709 pipe 20003 ip from any to any MAC 00:05:9e:84:e6:20 any
00003  3075455  310604103 pipe 20002 ip from any to any MAC any 00:05:9e:84:e6:20
00004  9842576  7583812500 allow ip from any to any MAC 00:0c:29:13:78:e0 any
00005  9631009  1639719585 allow ip from any to any MAC any 00:0c:29:13:78:e0
00006        0          0 allow ip from any to any MAC 00:0c:29:41:51:16 any
00007        0          0 allow ip from any to any MAC any 00:0c:29:41:51:16
00008    2667      210140 allow ip from any to any MAC 00:0c:29:a3:32:e0 any
00009  222347    10321860 allow ip from any to any MAC any 00:0c:29:a3:32:e0
00010        0          0 pipe 20011 ip from any to any MAC 00:0c:29:a4:2c:51 any
00011        0          0 pipe 20010 ip from any to any MAC any 00:0c:29:a4:2c:51
00012    16154    1302958 pipe 20013 ip from any to any MAC 00:15:6d:4e:4e:1a any
00013    25416    2561760 pipe 20012 ip from any to any MAC any 00:15:6d:4e:4e:1a
00014        0          0 allow ip from any to any MAC 00:18:8b:4b:ed:f8 any
00015        0          0 allow ip from any to any MAC any 00:18:8b:4b:ed:f8
00016    5937      820358 allow ip from any to any MAC 00:18:8b:4b:ed:fa any
00017    21567    5593215 allow ip from any to any MAC any 00:18:8b:4b:ed:fa
00018        0          0 allow ip from any to any MAC 00:1b:b9:6f:25:06 any
00019        0          0 allow ip from any to any MAC any 00:1b:b9:6f:25:06
00020  2271099  2114454968 pipe 20021 ip from any to any MAC 00:1c:26:a9:fc:f4 any
00021  1975314  471339914 pipe 20020 ip from any to any MAC any 00:1c:26:a9:fc:f4
00022      126      12583 pipe 20023 ip from any to any MAC 00:26:66:03:23:af any
00023      206      14510 pipe 20022 ip from any to any MAC any 00:26:66:03:23:af
00024  622301  524288168 pipe 20025 ip from any to any MAC 00:26:ce:0f:57:35 any
00025  459052    66340065 pipe 20024 ip from any to any MAC any 00:26:ce:0f:57:35
00026  330032    26467120 allow ip from any to any MAC 04:4f:aa:33:53:f0 any
00027  469297  274555701 allow ip from any to any MAC any 04:4f:aa:33:53:f0
00028  325160    26040717 allow ip from any to any MAC 04:4f:aa:33:5c:b0 any
00029  457004  267463375 allow ip from any to any MAC any 04:4f:aa:33:5c:b0
00030  7568554  5860475360 pipe 20031 ip from any to any MAC 08:10:74:75:7d:44 any
00031  7516046  4757064328 pipe 20030 ip from any to any MAC any 08:10:74:75:7d:44
00032  3518218  3854560400 pipe 20033 ip from any to any MAC 08:10:74:75:7f:06 any
00033  2568860  365464108 pipe 20032 ip from any to any MAC any 08:10:74:75:7f:06
00034  115475  131312084 pipe 20035 ip from any to any MAC 08:10:74:75:84:be any
00035    72804    7707477 pipe 20034 ip from any to any MAC any 08:10:74:75:84:be
00036        0          0 pipe 20037 ip from any to any MAC 08:10:74:c8:46:86 any
00037        0          0 pipe 20036 ip from any to any MAC any 08:10:74:c8:46:86
00038  1474309  1939345218 pipe 20039 ip from any to any MAC 08:10:74:75:8b:e6 any
00039  894634    72499724 pipe 20038 ip from any to any MAC any 08:10:74:75:8b:e6
00040  565946  417136068 pipe 20041 ip from any to any MAC 08:10:74:75:8f:3c any
00041  429217    75869270 pipe 20040 ip from any to any MAC any 08:10:74:75:8f:3c
00042  2985854  3239996369 pipe 20043 ip from any to any MAC 08:10:74:75:90:32 any
00043  1921277  217632925 pipe 20042 ip from any to any MAC any 08:10:74:75:90:32
00044  1288158  1706708950 pipe 20045 ip from any to any MAC 08:10:74:75:9a:9c any
00045  723971    74211447 pipe 20044 ip from any to any MAC any 08:10:74:75:9a:9c
00046  2002579  1943272834 pipe 20047 ip from any to any MAC 08:10:74:75:a5:06 any
00047  1013172    98836047 pipe 20046 ip from any to any MAC any 08:10:74:75:a5:06
00048 28290720 39669941815 pipe 20049 ip from any to any MAC 08:10:74:75:a8:80 any
00049 16095239  2111785148 pipe 20048 ip from any to any MAC any 08:10:74:75:a8:80
00050  166331  188546282 pipe 20051 ip from any to any MAC 08:10:74:75:ab:68 any
00051  103300    12669065 pipe 20050 ip from any to any MAC any 08:10:74:75:ab:68
00052  2300984  3172667786 pipe 20053 ip from any to any MAC 08:10:74:75:b1:4e any
00053  1418983  109118422 pipe 20052 ip from any to any MAC any 08:10:74:75:b1:4e
00054  5163631  6991035861 pipe 20055 ip from any to any MAC 08:10:74:75:b9:88 any
00055  3273357  266203334 pipe 20054 ip from any to any MAC any 08:10:74:75:b9:88
00056  3025463  1976128448 pipe 20057 ip from any to any MAC 08:10:74:75:bb:52 any
00057  2171779  280907648 pipe 20056 ip from any to any MAC any 08:10:74:75:bb:52
00058  459865  537204506 pipe 20059 ip from any to any MAC 08:10:74:75:a6:8c any
00059  277890    40061967 pipe 20058 ip from any to any MAC any 08:10:74:75:a6:8c
00060        0          0 pipe 20061 ip from any to any MAC 08:10:74:75:c5:d8 any
00061        0          0 pipe 20060 ip from any to any MAC any 08:10:74:75:c5:d8
00062  1873946  1953949464 pipe 20063 ip from any to any MAC 08:10:74:77:fe:7e any
00063  1636396  347991776 pipe 20062 ip from any to any MAC any 08:10:74:77:fe:7e
00064  2759491  3410703235 pipe 20065 ip from any to any MAC 08:10:74:78:08:8e any
00065  1595431  156613288 pipe 20064 ip from any to any MAC any 08:10:74:78:08:8e
00066  764212  807967272 pipe 20067 ip from any to any MAC 08:10:74:85:fd:48 any
00067  474708    64712594 pipe 20066 ip from any to any MAC any 08:10:74:85:fd:48
00068  4833764  6321102547 pipe 20069 ip from any to any MAC 08:10:74:86:02:6a any
00069  2655256  171925890 pipe 20068 ip from any to any MAC any 08:10:74:86:02:6a
00070  184133  178950476 pipe 20071 ip from any to any MAC 08:10:74:86:03:70 any
00071  128563    18067939 pipe 20070 ip from any to any MAC any 08:10:74:86:03:70
00072  2174920  348846173 pipe 20073 ip from any to any MAC 08:10:74:86:07:0e any
00073  3356930  3814734310 pipe 20072 ip from any to any MAC any 08:10:74:86:07:0e
00074  3578092  4460492829 pipe 20075 ip from any to any MAC 08:10:74:86:14:a6 any
00075  2585431  274397409 pipe 20074 ip from any to any MAC any 08:10:74:86:14:a6
00076  7462527 10502227054 pipe 20077 ip from any to any MAC 08:10:74:86:1a:22 any
00077  3952707  255584104 pipe 20076 ip from any to any MAC any 08:10:74:86:1a:22
00078  4286126  4185272568 pipe 20079 ip from any to any MAC 08:10:74:86:25:b6 any
00079  3421293  490149811 pipe 20078 ip from any to any MAC any 08:10:74:86:25:b6
00080  955203  732193600 pipe 20081 ip from any to any MAC 08:10:74:86:26:d6 any
00081  688034  139381334 pipe 20080 ip from any to any MAC any 08:10:74:86:26:d6
00082  1041003  1269900124 pipe 20083 ip from any to any MAC 08:10:74:86:29:82 any
00083  719576    70296111 pipe 20082 ip from any to any MAC any 08:10:74:86:29:82
00084  2241588  2871263310 pipe 20085 ip from any to any MAC 08:10:74:c8:c5:42 any
00085  1354726  214935886 pipe 20084 ip from any to any MAC any 08:10:74:c8:c5:42
00086  4736888  6161902089 pipe 20087 ip from any to any MAC 08:10:74:86:2e:36 any
00087  2664496  235005501 pipe 20086 ip from any to any MAC any 08:10:74:86:2e:36
00088  131322  115975933 pipe 20089 ip from any to any MAC 08:10:74:86:2f:42 any
00089    88701    16339203 pipe 20088 ip from any to any MAC any 08:10:74:86:2f:42
00090  1002356  987145289 pipe 20091 ip from any to any MAC 08:10:74:86:2f:d6 any
00091  727255    97393671 pipe 20090 ip from any to any MAC any 08:10:74:86:2f:d6
00092  1533181  1934887741 pipe 20093 ip from any to any MAC 08:10:74:86:30:5c any
00093  864980    82982534 pipe 20092 ip from any to any MAC any 08:10:74:86:30:5c
00094        0          0 pipe 20095 ip from any to any MAC 08:10:74:c8:00:00 any
00095        0          0 pipe 20094 ip from any to any MAC any 08:10:74:c8:00:00
00096  130061  168854494 pipe 20097 ip from any to any MAC 08:10:74:c8:bc:6c any
00097    73496    6046004 pipe 20096 ip from any to any MAC any 08:10:74:c8:bc:6c
00098  5137037  6155347004 pipe 20099 ip from any to any MAC 08:10:74:c8:c0:70 any
00099  2885155  558971080 pipe 20098 ip from any to any MAC any 08:10:74:c8:c0:70
00100  195441  185029323 pipe 20101 ip from any to any MAC 08:10:74:c8:c5:42 any
00101  155105    24313030 pipe 20100 ip from any to any MAC any 08:10:74:c8:c5:42
00102    13138      830143 pipe 20103 ip from any to any MAC 08:10:74:c8:c5:f4 any
00103    10808    1148591 pipe 20102 ip from any to any MAC any 08:10:74:c8:c5:f4
00104    15813    2527914 pipe 20105 ip from any to any MAC 08:10:74:c8:c9:fa any
00105    14031    1566746 pipe 20104 ip from any to any MAC any 08:10:74:c8:c9:fa
00106  1453843  1680267944 pipe 20107 ip from any to any MAC 08:10:74:c8:ce:58 any
00107  1039868  124427774 pipe 20106 ip from any to any MAC any 08:10:74:c8:ce:58
00108  478918  689777112 pipe 20109 ip from any to any MAC 08:10:74:c8:ce:68 any
00109  247947    12775142 pipe 20108 ip from any to any MAC any 08:10:74:c8:ce:68
00110  657883  555438755 pipe 20111 ip from any to any MAC 08:10:74:c8:da:b2 any
00111  452525    99963657 pipe 20110 ip from any to any MAC any 08:10:74:c8:da:b2
00112  722741  553149713 pipe 20113 ip from any to any MAC 08:10:74:c8:dc:74 any
00113  785433  203374557 pipe 20112 ip from any to any MAC any 08:10:74:c8:dc:74
00114 14722725 11822029016 pipe 20115 ip from any to any MAC 08:10:74:c8:de:94 any
00115 14176511  9000714251 pipe 20114 ip from any to any MAC any 08:10:74:c8:de:94
00116  458948  420041242 pipe 20117 ip from any to any MAC 08:10:74:c8:e0:b0 any
00117  343544    77904548 pipe 20116 ip from any to any MAC any 08:10:74:c8:e0:b0
00118    1311      411509 pipe 20119 ip from any to any MAC 08:10:74:c8:e0:e6 any
00119      886      70264 pipe 20118 ip from any to any MAC any 08:10:74:c8:e0:e6
00120  1010311  1218800362 pipe 20121 ip from any to any MAC 08:10:74:c8:e5:d0 any
00121  624559    76458597 pipe 20120 ip from any to any MAC any 08:10:74:c8:e5:d0
00122  1988198  2351126255 pipe 20123 ip from any to any MAC 08:10:74:c8:ed:f4 any
00123  1187285  118790792 pipe 20122 ip from any to any MAC any 08:10:74:c8:ed:f4
00124 14350111 20900275604 pipe 20125 ip from any to any MAC 08:10:74:c8:f0:6a any
00125  7247990  347228464 pipe 20124 ip from any to any MAC any 08:10:74:c8:f0:6a
00126  103746  109188989 pipe 20127 ip from any to any MAC 08:10:74:c8:f0:a6 any
00127    64535    6460202 pipe 20126 ip from any to any MAC any 08:10:74:c8:f0:a6
00128  1103923  1198607577 pipe 20129 ip from any to any MAC 08:10:74:c8:f3:aa any
00129  786784  106228806 pipe 20128 ip from any to any MAC any 08:10:74:c8:f3:aa
00130  910998  1175609674 pipe 20131 ip from any to any MAC 08:10:74:c8:f6:8e any
00131  520111    79062272 pipe 20130 ip from any to any MAC any 08:10:74:c8:f6:8e
00132  1026676  1001090013 pipe 20133 ip from any to any MAC 08:10:74:c8:f7:e2 any
00133  809725  176497032 pipe 20132 ip from any to any MAC any 08:10:74:c8:f7:e2
00134  4602213  5479895709 pipe 20135 ip from any to any MAC 08:10:74:c8:f8:9c any
00135  3085460  525300497 pipe 20134 ip from any to any MAC any 08:10:74:c8:f8:9c
00136  923329  1144883035 pipe 20137 ip from any to any MAC 08:10:74:c8:f8:aa any
00137  615328    46524778 pipe 20136 ip from any to any MAC any 08:10:74:c8:f8:aa
00138  568334  296974594 pipe 20139 ip from any to any MAC 08:10:74:c8:fa:14 any
00139  490189    91737144 pipe 20138 ip from any to any MAC any 08:10:74:c8:fa:14
00140  8981296  9393993251 pipe 20141 ip from any to any MAC 08:10:74:c8:fa:40 any
00141  6054045  590900973 pipe 20140 ip from any to any MAC any 08:10:74:c8:fa:40
00142  1644037  1904953778 pipe 20143 ip from any to any MAC 08:10:74:c8:fa:4c any
00143  1032831  145128109 pipe 20142 ip from any to any MAC any 08:10:74:c8:fa:4c
00144  853769  868850701 pipe 20145 ip from any to any MAC 08:10:74:c8:fa:5c any
00145  645901    93591692 pipe 20144 ip from any to any MAC any 08:10:74:c8:fa:5c
00146  4320838  4499445123 pipe 20147 ip from any to any MAC 08:10:74:c8:fd:b2 any
00147  2905435  749661585 pipe 20146 ip from any to any MAC any 08:10:74:c8:fd:b2
00148  474845  516573968 pipe 20149 ip from any to any MAC 08:10:74:c8:dd:b8 any
00149  296075    36403578 pipe 20148 ip from any to any MAC any 08:10:74:c8:dd:b8
00150    1439      393932 pipe 20151 ip from any to any MAC 08:10:74:c8:f6:ac any
00151      748      74389 pipe 20150 ip from any to any MAC any 08:10:74:c8:f6:ac
00152  7476571  6214598572 pipe 20153 ip from any to any MAC 08:10:74:c9:00:cc any
00153  5954648  2546952560 pipe 20152 ip from any to any MAC any 08:10:74:c9:00:cc
00154  3181630  4062422740 pipe 20155 ip from any to any MAC 08:10:74:c9:01:f0 any
00155  1883407  165582295 pipe 20154 ip from any to any MAC any 08:10:74:c9:01:f0
00156    49210    32270556 pipe 20157 ip from any to any MAC 08:10:74:c9:02:6c any
00157    34342    6889467 pipe 20156 ip from any to any MAC any 08:10:74:c9:02:6c
00158 13877616 17589938436 pipe 20159 ip from any to any MAC 08:10:74:c9:02:9e any
00159  8831606  1230984896 pipe 20158 ip from any to any MAC any 08:10:74:c9:02:9e
00160  4065141  5326504356 pipe 20161 ip from any to any MAC 08:10:74:c9:04:72 any
00161  2352751  225342377 pipe 20160 ip from any to any MAC any 08:10:74:c9:04:72
00162        0          0 pipe 20163 ip from any to any MAC 08:10:74:c8:59:16 any
00163        0          0 pipe 20162 ip from any to any MAC any 08:10:74:c8:59:16
00164  276006  216198548 pipe 20165 ip from any to any MAC 08:10:74:c8:e0:92 any
00165  222463    35028691 pipe 20164 ip from any to any MAC any 08:10:74:c8:e0:92
00166  877308  540245232 pipe 20167 ip from any to any MAC 90:00:4e:5a:5a:7f any
00167  692340    86802756 pipe 20166 ip from any to any MAC any 90:00:4e:5a:5a:7f
00168        0          0 allow ip from any to any MAC a4:ba:db:3d:24:5a any
00169        0          0 allow ip from any to any MAC any a4:ba:db:3d:24:5a
00170    48128    4248350 allow ip from any to any MAC ac:67:06:37:90:60 any
00171    48765    5809853 allow ip from any to any MAC any ac:67:06:37:90:60
00172    48273    4255706 allow ip from any to any MAC ac:67:06:37:91:90 any
00173    48831    5775983 allow ip from any to any MAC any ac:67:06:37:91:90
00174      207      45439 pipe 20175 ip from any to any MAC b8:70:f4:92:0f:2e any
00175      437      44620 pipe 20174 ip from any to any MAC any b8:70:f4:92:0f:2e
00176      199      55265 pipe 20177 ip from any to any MAC f8:7b:7a:3a:ce:7f any
00177      218      50668 pipe 20176 ip from any to any MAC any f8:7b:7a:3a:ce:7f
00178  9250394  1277797068 pipe 20179 ip from any to any MAC c8:3a:35:d2:53:cf any
00179 14148558 14986388983 pipe 20178 ip from any to any MAC any c8:3a:35:d2:53:cf
00180        0          0 pipe 20181 ip from any to any MAC 08:10:74:86:26:fe any
00181      246      14496 pipe 20180 ip from any to any MAC any 08:10:74:86:26:fe
00182        0          0 pipe 20183 ip from any to any MAC 08:10:74:c8:06:ac any
00183        0          0 pipe 20182 ip from any to any MAC any 08:10:74:c8:06:ac
00184  954445  682284918 allow ip from any to any MAC 00:1e:64:52:a0:16 any
00185  1186802  1104938693 allow ip from any to any MAC any 00:1e:64:52:a0:16
00186        0          0 pipe 20187 ip from any to any MAC 08:10:74:75:98:9e any
00187      458      24248 pipe 20186 ip from any to any MAC any 08:10:74:75:98:9e
00188        0          0 pipe 20189 ip from any to any MAC 08:10:74:c8:e9:6c any
00189      62      15572 pipe 20188 ip from any to any MAC any 08:10:74:c8:e9:6c
00190    15236    17844494 pipe 20191 ip from any to any MAC 1c:65:9d:b3:75:42 any
00191    11055    1464218 pipe 20190 ip from any to any MAC any 1c:65:9d:b3:75:42
00192        0          0 pipe 20193 ip from any to any MAC 00:27:22:2e:11:65 any
00193    2051      160090 pipe 20192 ip from any to any MAC any 00:27:22:2e:11:65
00194    87117  128987267 allow ip from any to any MAC 00:0c:29:44:04:2d any
00195    51242    2831873 allow ip from any to any MAC any 00:0c:29:44:04:2d
00196        0          0 pipe 20197 ip from any to any MAC 08:10:74:c8:bd:14 any
00197      10        2580 pipe 20196 ip from any to any MAC any 08:10:74:c8:bd:14
00198        0          0 pipe 20199 ip from any to any MAC 08:10:74:75:98:9e any
00199        0          0 pipe 20198 ip from any to any MAC any 08:10:74:75:98:9e
00200        0          0 pipe 20201 ip from any to any MAC 08:10:74:86:2f:42 any
00201        0          0 pipe 20200 ip from any to any MAC any 08:10:74:86:2f:42
00202        0          0 pipe 20203 ip from any to any MAC 08:10:74:c8:1d:b8 any
00203        0          0 pipe 20202 ip from any to any MAC any 08:10:74:c8:1d:b8
65291        0          0 allow pfsync from any to any
65292        0          0 allow carp from any to any
65301    20191      738580 allow ip from any to any layer2 mac-type 0x0806
65302        0          0 allow ip from any to any layer2 mac-type 0x888e
65303        0          0 allow ip from any to any layer2 mac-type 0x88c7
65304        0          0 allow ip from any to any layer2 mac-type 0x8863
65305        0          0 allow ip from any to any layer2 mac-type 0x8864
65306        0          0 allow ip from any to any layer2 mac-type 0x888e
65307    18936    1012360 deny ip from any to any layer2 not mac-type 0x0800
65310    49077    9426797 allow ip from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in
65311      927      569345 allow ip from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out
65312        0          0 allow icmp from { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } to any out icmptypes 0
65313        0          0 allow icmp from any to { 255.255.255.255 or 192.168.10.1 or 192.168.5.1 } in icmptypes 8
65314        0          0 allow ip from table(3) to any in
65315        0          0 allow ip from any to table(4) out
65316        0          0 pipe tablearg ip from table(5) to any in
65317        0          0 pipe tablearg ip from any to table(6) out
65318        0          0 allow ip from any to table(7) in
65319        0          0 allow ip from table(8) to any out
65320        0          0 pipe tablearg ip from any to table(9) in
65321        0          0 pipe tablearg ip from table(10) to any out
65322        0          0 pipe tablearg ip from table(1) to any in
65323        0          0 pipe tablearg ip from any to table(2) out
65531      746      71739 fwd 127.0.0.1,8000 tcp from any to any in
65532      643      154006 allow tcp from any to any out
65533    92768    19184302 deny ip from any to any
65534        0          0 allow ip from any to any layer2
65535      86      79613 allow ip from any to any

dhatz

Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.

ptt

@luke240778:

Thanks for this.  I have actually contacted them to do a demo.  They are telling me that their software works best with Mikrotik, and not so great with pfsense… not sure what to do now..  Can i somehow use both Mikrotik and pfSense?

Im using pfSense ( failover & Sip Proxy ) + MikroTik ( PPPoE ) and  Ubiquiti Rocket M5 as AP, for CPE: NanoStation, NanoStation Loco & NanoBridge ( all 5M series ), and Linksys SPA2102 for clients with VoIP service . I do the PPPoE & traffic shapping at CPE.

luke240778

@dhatz:

Well, the idea was to check whether the MAC-addresses you wanted blocked are actually still in the 'ipfw show' list you just posted, even though you've removed them from the MAC-pass-through page of pfsense's webGUI.

Ah ok, i see..  i will check that.  Thankyou.

Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?

dhatz

@luke240778:

Is it strange that the other ipfw commands that you mentioned before didn't do anything when i ran them?

Well, perhaps I wasn't clear enough

/tmp/ipfw.cp.rules is a text-file that contains the ipfw configuration, so you just check its contents (using vi, more etc)
ipfw table all list was to check if you had any entries in ipfw tables. Since it came empty, it means you don't (which is to be expected, since you only use MAC passthrough).

So, as I wrote above, you need to check whether any MAC-addresses you want blocked are still in the 'ipfw show' list. And you need to check that you haven't disabled MAC filtering.