Channels beyond 11 not visible
-
If you expect to see channels above 11, make sure you set the appropriate regulatory domain, country, etc. Not all channels are available in all regions, so the driver limits what it shows based on where those channels are allowed.
-
Ok, guys.. this is really strange behavior and I am feeling quite depressed about it all. I have tried all the things you wrote, I set the security to only AES, I specified the regulatory domain and all the options in that area, I even tried to invert the password case (ie. uppercase -> lowercase, lowercase->uppercase). I just wont budge. In the logs I can still read that the "[WLAN access rejected: incorrect security] from MAC address 00:22:b0:6d:6a:df, Wednesday, December 19,2012 01:44:13"
I tried setting a reserved IP for the card and mac address in the Netgear router. When I did that, pfSense reported that the interface was associated and that the "Media" is OFDM/36mbps mode 11g (what is that?). I tried to ping, nothing happens.
I even changed the SSID, hoping for soemthing.
So, then I removed the RT2870 card from the pfSense box, attach it to my linux laptop, try to connect to the AP with same settings as in pfSense. Lo and behold, I have internet. What the hell? In fact, I am posting this very message from my linux laptop now.
EDIT:
Some screens of the interfaces page showing the NIC is associated, but not getting an IP.
I have also tried doing this with the RT3070 (Alfa AWUS036NH) card I have, but that had even worse results than RT2870 if you can believe it.. and I did a reboot before I tried setting it up.I am now considering acquiring an Atheros NIC, namely the TL-WN722N which has the AR9002U chipset. Could this solve the problem?
-
As a test you should try with no encryption. It may be some underlying cause that isn't obvious.
You could try a WPA pass phrase that is all numbers, that way it's not possible to get a case error. It's also usually possible to enter the key in hex directly. I have had equipment that required that, though not for a number of years now.That log entry does seem to imply they just aren't using the same encryption type. Any logs from pfSense?
Steve
-
Based on a fairly limited experience I have formed the suspicion that WiFi interfaces in Infrastructure mode re rather less well tested than the devices in AP mode.
Can you switch the pfSense to AP mode and the Netgear to Infrastructure mode, even for a short period to see what happens?
-
Well, I am not sure the NETGEAR is able to go into BSS mode, the device is from the ISP, so I don't want to mess with that too much, to be honest.
Setting the RT2870 in AP mode appears to be working just fine. It is broadcasting and all; I tried having it with and without encryption and was able to connect in both situations. I did not manage to access the webconfiguration page from the wireless connection, however. Maybe I forgot to do some settings…
Then I finally tried to have NETGEAR unencrypted, and to my big surprise I was able to connect to it and have an IP address assignet to RT2870! However, I was not able to go on the internet, save for pinging google and pfsense.org and some other choice websites, I was not able to do anything. Not even traceroute. Something was curious, though. In the list of DNS servers 127.0.0.1 was present. I knew I had not put it there, so this must have been pfSense's doing. This lead me to notice that the DNS Forwarding service was enabled and was preventing communication to the internet. I disabled that, and was able to browse the internet! Amazing! I managed to download the latest BETA1 snapshot through the auto-update utility and update pfSense to have the current snapshot.
This is all great, but it does not really help me as I cannot have NETGEAR unsecured. That would be a trade-off I am not willing to do. :( And now that I have enabled security on NETGEAR, it is same old again. Why?
-
I am now considering acquiring an Atheros NIC, namely the TL-WN722N which has the AR9002U chipset. Could this solve the problem?
A quick search hasn't provided any evidence that device is supported.
I suspect the chipsets you have tried are the only "newish" USB chipsets supported.
The only other likely expansion slot on a laptop of that vintage is PCMCIA/Cardbus, but, in my limited experience, Cardbus support in FreeBSD is highly dependent on the BIOS corrctly initialising the Cardbus bridge and Windows doesn't seem to require that.
Fruitful field for you for research!
If you don't run want to run the risk of spending lots of hours and still not getting that configuration working I suggest you try to pick up a cheap second hand desktop or small server PC where your connectivity options will be considerably greater: an ability to add extra NICs to support a external wireless router/bridge and a greater range of supported PCI/PCI-e devices if you prefer to have the wireless NIC in pfSense.
It is experiences such as you have recounted that form the basis of my suspicion that WiFi interfaces in Infrastructure mode are rather less well tested on FreeBSD than the devices in AP mode.
If you want to persevere with the laptop AND it has PCMCIA slots you could go looking on eBay for Cardbus/PCMCIA wireless NICs with Atheros chipset or Ralink RT2560 or RT2561 but … If you want to explore that option further I'll make some further suggestions.
I
-
Well, I wouldn't call the RT2870 new. I bought it 3 or 4 years ago, iirc.
I haven't looked, but I think the laptop has a pcmcia slot. Though, like you said, it is most likely a hassle to deal with. A fruitful field I rather leave unexplored.
I just cant get my head around why it would not connect because the network is encrypted. That's really.. strange. Well, my other choice would be to use an old PC I have standing around, but I want to avoid that as I am trying to keep unnecessary power-consumption at a minimum.
Currently, I am looking at trying DD-WRT or OpenWRT or some other Linux-based solution because it looks like Linux has better driver support. This is sad, because I think pfSense has a great list of features and capabilities. What are the chances this will be fixed in an upcoming release? From what I gather, there's still the issue of 802.11n support in FreeBSD… :(
-
I just cant get my head around why it would not connect because the network is encrypted. That's really.. strange. Well, my other choice would be to use an old PC I have standing around, but I want to avoid that as I am trying to keep unnecessary power-consumption at a minimum.
My Linux netbook came with a VIA mini-PCI-E (USB) WiFi adapter. It worked fine with my then pfSense. After a Linux upgrade the WiFi stopped working and wouldn't work again until I changed the WPA Pairwise setting on my pfSense from Both to AES. (TKIP wouldn't work.) On upgrade to Ubuntu 12.04 the WiFi adapter was "unsupported" and was unrecognised. I bought an Intel mini-PCI-E WiFi adapter on eBay for a few dollars and it has worked fine for about the last 6 months.
I am recounting this to show that bizarre WiFi encryption behaviour is not exclusive to FreeBSD.
Currently, I am looking at trying DD-WRT or OpenWRT or some other Linux-based solution because it looks like Linux has better driver support.
One of the reasons I ditched Smoothwall for pfSense some years ago was that I would have had to build WiFi drivers for it myself. I don't know about xxWRT.
This is sad, because I think pfSense has a great list of features and capabilities. What are the chances this will be fixed in an upcoming release?
My guess is "zip if no-one files a FreeBSD Problem Report". You can file a FreeBSD Problem Report at http://www.freebsd.org/send-pr.html
From what I gather, there's still the issue of 802.11n support in FreeBSD… :(
Coming, but Christmas will be here sooner!
-
Well this is a big step forward. :)
You have shown that the connection can work if both sides are talking the same encryption type.
Can you try WEP instead? Clearly it's not secure any more but since it's much older it's far more tested and likely to work.
If you deliberately put in a completely incorrect pass phrase does the Netgear log still show the same thing? I suspect that it never gets as far as actually checking the key if the encryption type doesn't match.
Maybe try configuring your laptop 'wrong' in various ways to see what errors are produced in the log. When you see the same error that pfSense is generating you will know what you have configured wrong that is producing it.
I would expect some errors in the pfSense logs that may give a clue. :-\Reading back through the thread it seems to me one of three things could be happening here:
1: The run(4) driver is fundamentally broken in some way that prevents it doing the correct encryption.
This seems unlikely since, even by FreeBSD standards, 3-4 years is quite old and I would expect to see many threads in the FreeBSD forums if it were the case.2: The pfSense webGUI is not correctly setting up the driver. This is more likely since, as Wallabybob said, almost everyone who uses wifi in pfSense uses hostap mode. It could be a new bug. This is relatively easy to test however by simply setting up the NIC from the CLI.
3: The encryption types are simply setup mismatched and it's not obvious from the two web interfaces that this is happening. This still seems the most likely to me. ;)
I notice fro your screenshot of the Netgear that it cannot do WPA-AES or WPA2-TKIP. It's possible pfSense is defaulting to one of those unless you have specifically told it not to.Steve
-
In your previous ifconfig I see no mention of AES or any other encryption type. Where as my home box with it's ath0 card set as hostap:
ath0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:11:f5:ee:41:8b inet6 fe80::211:f5ff:feee:418b%ath0_wlan0 prefixlen 64 scopeid 0x11 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running ssid ******** channel 8 (2447 MHz 11g) bssid 00:11:f5:******** regdomain ETSI country GB indoor ecm authmode WPA1+WPA2/802.11i privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 scanvalid 60 protmode OFF burst dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>Also what does your card show for it's capabilities:
[2.0.1-RELEASE][root@pfsense.fire.box]/root(13): ifconfig ath0_wlan0 list caps drivercaps=6f85ed01 <sta,ibss,hostap,ahdemo,txpmgt,shslot,shpreamble,monitor,mbss,wpa1,wpa2,burst,wme,wds,bgscan,txfrag>cryptocaps=1f <wep,tkip,aes,aes_ccm,tkipmic></wep,tkip,aes,aes_ccm,tkipmic></sta,ibss,hostap,ahdemo,txpmgt,shslot,shpreamble,monitor,mbss,wpa1,wpa2,burst,wme,wds,bgscan,txfrag>Steve
-
In your previous ifconfig I see no mention of AES or any other encryption type. Where as my home box with it's ath0 card set as hostap:
ath0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:11:f5:ee:41:8b inet6 fe80::211:f5ff:feee:418b%ath0_wlan0 prefixlen 64 scopeid 0x11 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>status: running ssid ******** channel 8 (2447 MHz 11g) bssid 00:11:f5:******** regdomain ETSI country GB indoor ecm authmode WPA1+WPA2/802.11i privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 scanvalid 60 protmode OFF burst dtimperiod 1 -dfs</hostap></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>Also what does your card show for it's capabilities:
[2.0.1-RELEASE][root@pfsense.fire.box]/root(13): ifconfig ath0_wlan0 list caps drivercaps=6f85ed01 <sta,ibss,hostap,ahdemo,txpmgt,shslot,shpreamble,monitor,mbss,wpa1,wpa2,burst,wme,wds,bgscan,txfrag>cryptocaps=1f <wep,tkip,aes,aes_ccm,tkipmic></wep,tkip,aes,aes_ccm,tkipmic></sta,ibss,hostap,ahdemo,txpmgt,shslot,shpreamble,monitor,mbss,wpa1,wpa2,burst,wme,wds,bgscan,txfrag>Steve
Here's cap list:
ifconfig run0_wlan0 list caps drivercaps=d85c501 <sta,ibss,hostap,shslot,shpreamble,monitor,mbss,wpa1,wpa2,wme,wds>cryptocaps=1b<wep,tkip,aes_ccm,tkipmic></wep,tkip,aes_ccm,tkipmic></sta,ibss,hostap,shslot,shpreamble,monitor,mbss,wpa1,wpa2,wme,wds>And here are the logs: http://speedy.sh/7ugBP/logs.zip
Not sure which ones are relevant, system.log and dhcpd.log, I guess… anyway, I cp'd the whole /var/logs/ :/
EDIT:
Oh, here's the ifconfig output:
run0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 00:22:b0:6d:6a:df inet6 fe80::222:b0ff:fe6d:6adf%run0_wlan0 prefixlen 64 scopeid 0x9 inet 192.168.1.9 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet DS/5.5Mbps mode 11g status: associated ssid LGM2 channel 2 (2417 MHz 11g) bssid 30:46:9a:1b:42:14 regdomain ETSI country SE outdoor authmode WPA2/802.11i privacy ON deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 bmiss 7 scanvalid 60 protmode OFF roaming MANUAL</performnud,accept_rtadv></up,broadcast,running,simplex,multicast>It's kind of interesting, in fact. Now that I powered pfSense off, and turned it on a bit later, the NIC seems to be associated and authenticated with the AP. It has it's own IP, but I cannot access the internet; ping and traceroute do not work.
-
Well I immediately see that your device is not capable of AES only AES_CCM. If the Netgear router is expecting AES it won't work. Try setting both ends to TKIP.
Looking at the logs now…Steve
Edit: You edited while I typed! Can you not even ping the router when it has acquired an IP?
-
FYI- When updating the wireless chapter of the book over the last few weeks I did configure and test acting as a wireless client, and it worked fine. (My only issue was a signal/antenna issue, namely that my test box didn't have one. Once I plugged one in, it worked ;-)
Some cards/drivers can be picky about AES vs TKIP and also Open System vs Shared Key, and also PSK vs EAP.
-
Was that with the run(4) driver Jim?
@B-vigilanT: Hmm, the zip file with the logs in it won't open on my Linux laptop.
-
No, all I have are ath(4) cards on hand at the moment, various 52xx and 59xx models. (And mwl(4) but I didn't test those recently)
-
Was that with the run(4) driver Jim?
@B-vigilanT: Hmm, the zip file with the logs in it won't open on my Linux laptop.
Try this, I packed it in .rar for you: http://speedy.sh/7ujcP/logs.rar
I have not tested pinging the router. The battery in my laptop is dead. I have to wait for charge. I will try asap.
-
I have a device that uses the run(4) driver here so plugged it in to see what was what. I'm seeing pretty much exactly the same as you.
[2.0.1-RELEASE][root@pfSense.localdomain]/root(1): ifconfig run0_wlan0 run0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether f8:d1:11:******** inet6 fe80::fad1:11ff:fec1:5b57%run0_wlan0 prefixlen 64 scopeid 0xe nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g status: associated ssid Area58net channel 2 (2417 MHz 11g) bssid 00:90:7f:******** regdomain ETSI country GB authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpower 30 bmiss 7 scanvalid 60 protmode OFF roaming MANUAL [2.0.1-RELEASE][root@pfSense.localdomain]/root(2): ifconfig run0_wlan0 list caps drivercaps=d85c501 <sta,ibss,hostap,shslot,shpreamble,monitor,mbss,wpa1,wpa2,wme,wds>cryptocaps=1b <wep,tkip,aes_ccm,tkipmic></wep,tkip,aes_ccm,tkipmic></sta,ibss,hostap,shslot,shpreamble,monitor,mbss,wpa1,wpa2,wme,wds></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>You can see it's trying to use TKIP although it's set to 'both' in the config. In the router I'm trying to connect to, which is also set to both encrytion types and wpa/wpa2, I am seeing:
Process=hostapd msg=ath1: STA f8:d1:11:******* WPA: EAPOL-Key timeoutHmm, I'll try some more combinations. If it does work I'll probablyget some hideous network loop! ::)
Steve
-
Hmm well that was interesting.
So I have it working by simply using a static IP instead of relying on DHCP. No idea why that worked, presumably DHCP is being blocked somewhere.
The run driver seems to ignore the WPA/WPA2 selection in the GUI or at least it can choose to use something else. ::)Steve
-
Ok there's some bug here. With the wifi interface set to dhcp in the web gui I don't get an address. Yet:
[2.0.1-RELEASE][root@pfSense.localdomain]/root(8): ifconfig run0_wlan0 run0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether f8:d1:11:******** inet6 fe80::fad1:11ff:fec1:5b57%run0_wlan0 prefixlen 64 scopeid 0xe nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g status: associated ssid Area58net channel 2 (2417 MHz 11g) bssid 00:90:7f:******** regdomain ETSI country GB authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpower 30 bmiss 7 scanvalid 60 protmode OFF roaming MANUAL [2.0.1-RELEASE][root@pfSense.localdomain]/root(9): dhclient run0_wlan0 dhclient: PREINIT DHCPDISCOVER on run0_wlan0 to 255.255.255.255 port 67 interval 5 DHCPOFFER from 192.168.111.1 DHCPREQUEST on run0_wlan0 to 255.255.255.255 port 67 DHCPACK from 192.168.111.1 bound to 192.168.111.11 -- renewal in 14400 seconds. [2.0.1-RELEASE][root@pfSense.localdomain]/root(10): ifconfig run0_wlan0 run0_wlan0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether f8:d1:11:******** inet6 fe80::fad1:11ff:fec1:5b57%run0_wlan0 prefixlen 64 scopeid 0xe inet 192.168.111.11 netmask 0xffffff00 broadcast 192.168.111.255 nd6 options=3 <performnud,accept_rtadv>media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g status: associated ssid Area58net channel 2 (2417 MHz 11g) bssid 00:90:7f:******** regdomain ETSI country GB authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpower 30 bmiss 7 scanvalid 60 protmode OFF roaming MANUAL</performnud,accept_rtadv></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>Steve
-
Hmm well that was interesting.
So I have it working by simply using a static IP instead of relying on DHCP. No idea why that worked, presumably DHCP is being blocked somewhere.
The run driver seems to ignore the WPA/WPA2 selection in the GUI or at least it can choose to use something else. ::)Steve
Yeah, I was thinking that too previously. However, I am unsure if I am setting the subnet correctly.. /24 should be 255.255.255.0, I think.. but im unsure if that is what it should be even. Also, in the Static IPv4 Configuration should I set the NETGEAR gateway address(192.168.1.1) in the Gateway drop-down menu or the gateway for the pfSense (10.10.1.1) box?
Now, I tried switching to static IP and it dropped connection and is not regaining it. BTW, which are the proper Authentication and Key Management mode in my case? I noticed, by running ifconfig over and over again, that having them in Both the interface is switching mode all the time.
