PfSense doesn't work with 2 wireless adapters on VMware
-
pfSense default configuration sets firewall rules on LAN interface to allow traffic to anywhere and rules on other interfaces to block traffic.
Is your pfSense wired interface called LAN? If so, then you will need firewall rules on the "LAN" WiFi interface to allow traffic to the Internet (anywhere?). After changing the rules you should reset firewall states, see Diagnostics -> States, click on Reset States tab, read explanation then click on Reset button.
Within pfSense, there is only 1 LAN interface, which has all traffics allowed. Reset States didn't solve it. Switching of LAN adapters from wired to wifi was done in VM setting, so pfSense should not see anything different.
Today, I tried to make the VM to have 3 adapters, i.e. WAN, LAN-wired, LAN-wifi. Within pfSense, only 2 adapters were enabled. Switching of LAN adapters was done in Interface Assignment. Also tried clean install on 2.1Beta0. On those 3 different ways, they behaved the same, i.e. 2 wifi didn't work, 1 wired 1 wifi worked.
Further tests were done, and it appears that whenever selected LAN-facing adapter is wifi, it won't work. Local PING on LAN-facing wifi worked, but just didn't want to route.
So in summary:
LAN-facing: Wifi didn't work
LAN-facing: Wired worked
WAN-facing: either wifi or wired, workedI begin to wonder whether LAN-facing wifi adapter connected to AP is unsupported by pfSense. Or, is it problem with VMware? Or, Windows 7 Starter as host machine?
Thanks.
-
Within pfSense, there is only 1 LAN interface, which has all traffics allowed. Reset States didn't solve it. Switching of LAN adapters from wired to wifi was done in VM setting, so pfSense should not see anything different.
Your diagram doesn't show the access the hypervisor has to the NICs. I presume the hypervisor has control at least of the "LAN facing" WiFi NIC.
I suggest you ping an internet host over the WiFi link and run a packet capture on the pfSense "LAN facing" NIC. Do you see the traffic? If not, you will have to tweak the hypervisor to get the traffic to pfSense (probably need a default route).
-
I suggest you ping an internet host over the WiFi link and run a packet capture on the pfSense "LAN facing" NIC. Do you see the traffic? If not, you will have to tweak the hypervisor to get the traffic to pfSense (probably need a default route).
Packet capture on pfSense LAN-facing NIC showed the traffic when ping from a computer over wifi link (192.168.8.8) to internet host: 192.168.8.1 < 192.168.8.8.
pfSense LAN-facing NIC was also able to respond to ping from other computers, and vice versa. It was able to issue DHCP leases, as well.
-
Packet capture on pfSense LAN-facing NIC showed the traffic when ping from a computer over wifi link (192.168.8.8) to internet host: 192.168.8.1 < 192.168.8.8.
Sorry, by "internet host" I meant a public IP address (e.g. 74.125.237.116, www.google.com).
Unless I completely misunderstood your diagram 192.168.8.1 is the (private) IP address of your pfSense LAN facing NIC. You have already reported you get responses to pings directed to that address. I'm much more interested in whether pfSense even sees packets directed to the public IP addresses for which you don't get a response!
I presume the hypervisor has control at least of the "LAN facing" WiFi NIC.
Is this presumption correct?
-
Sorry, by "internet host" I meant a public IP address (e.g. 74.125.237.116, www.google.com).
That's the result from LAN-facing capture when I ping to public IP.
I presume the hypervisor has control at least of the "LAN facing" WiFi NIC.
Is this presumption correct?No, LAN-facing is vNIC bridged from host's wifi adapter.
-
Sorry, by "internet host" I meant a public IP address (e.g. 74.125.237.116, www.google.com).
That's the result from LAN-facing capture when I ping to public IP.
If you ping 74.125.237.116 from a system on your WiFi and, by the time that gets into pfSense the destination IP address of 74.125.237.116 becomes a 192.168.x.x address that address transformation is the problem. It is not a pfSense problem.
It is a pity you didn't post more of the packet capture output, especially the decode of the packets. That would at least give confirmation the snippet you posted is a PING and not some other traffic between WiFi client and pfSense.
I presume the hypervisor has control at least of the "LAN facing" WiFi NIC.
Is this presumption correct?No, LAN-facing is vNIC bridged from host's wifi adapter.
This answer is inconsistent - by hypervisor I meant the OS hosting the pfSense virtual machine. In that case the correct answer would be one of:
1. Yes, the LAN-facing is vNIC bridged from host's wifi adapter; OR
2. No, the LAN facing WiFi NIC is "passed through" from host OS to pfSense VM. -
If you ping 74.125.237.116 from a system on your WiFi and, by the time that gets into pfSense the destination IP address of 74.125.237.116 becomes a 192.168.x.x address that address transformation is the problem. It is not a pfSense problem.
It is a pity you didn't post more of the packet capture output, especially the decode of the packets. That would at least give confirmation the snippet you posted is a PING and not some other traffic between WiFi client and pfSense.
When PING from 192.168.8.8 to 74.125.237.24 (www.google.co.nz IP), package capture showed:
with filter set to 192.168.8.8: showed blank
with filter set to 74.125.237.24: showed blank
with no filter: showed nothing on PING traffic, but some ARP packets requesting LAN broadcast traffics to be directed to 192.168.8.3 (LAN Access Point).When PING from 192.168.8.8 to 192.168.8.1, package capture showed:
with filter set to 192.168.8.8: showed PING traffic
with filter set to 192.168.8.1: showed PING traffic
with no filter: showed PING trafficThis answer is inconsistent - by hypervisor I meant the OS hosting the pfSense virtual machine. In that case the correct answer would be one of:
1. Yes, the LAN-facing is vNIC bridged from host's wifi adapter; OR
2. No, the LAN facing WiFi NIC is "passed through" from host OS to pfSense VM.Sorry, didn't understand hypervisor. The answer is 1: vNIC brigded from host's wifi adapter. I did try to pass through to VM, but wifi adapter not supported (Ralink RT5370).
-
When PING from 192.168.8.8 to 74.125.237.24 (www.google.co.nz IP), package capture showed:
with filter set to 192.168.8.8: showed blank
with filter set to 74.125.237.24: showed blank
with no filter: showed nothing on PING traffic, but some ARP packets requesting LAN broadcast traffics to be directed to 192.168.8.3 (LAN Access Point).Then you will have to look outside pfSense - for some reason pfSense is not seeing your pings.
I did try to pass through to VM, but wifi adapter not supported (Ralink RT5370).
The TP-Link WN321G is available retail near me for under AUS$10. I have used them with pfSense where it is supported by the run driver. It might be a more effective use of your time to get such a device and give pfSense exclusive use of it than to continue messing around trying to figure out what Windows is doing to your traffic.
-
Then you will have to look outside pfSense - for some reason pfSense is not seeing your pings.
I will. It's down to only host, VMware and AP.
It might be a more effective use of your time to get such a device and give pfSense exclusive use of it than to continue messing around trying to figure out what Windows is doing to your traffic.
Learning is a lifelong journey, and this problem gives an opportunity to learn more. Should the solution be found, it can contribute to knowledge growth of self and others.
Thanks so much for the time and efforts you have spared for me. I appreciate the troubleshooting process that we had gone through together. Your approach has been great and I commend you on this.
-
Switching of LAN adapters from wired to wifi was done in VM setting, so pfSense should not see anything different.
I have no experience with VMware but I suspect that in the VMware environment you have somehow failed to adjust something crucial when making that change.
Can you do a packet capture in VMware to verify VMware is seeing the ping traffic over WiFi? Can you trace where it goes then?