Help on starting atheros wifi

wallabybob

In Interfaces -> (assign) click the "+" button at the lower right of the page to add the interface to the pool of interfaces available to pfSense. You should then see it as an OPTx interface and be able to configure it from the appropriate Interfaces -> OPTx page (x in 1, 2, 3 …)

MrRocco

Thanks wallabybob!

I actually figured out what I was doing shortly after my post. I just expected the interface to show up and missed the painfully obvious step of adding it.

I have been testing various settings today and dialed back to a pretty basic 802.11g AP mode. (BTW, this is a test build not my primary router thankfully). The WLAN [ath0] is in bridged mode with em1 which is sitting on my LAN at a fixed IP. DHCP is off and everything else is stock.

I cannot keep a consistent connection to this AP. There might be more logging that I can capture. This is from the diag_logs_wireless page:

Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.11: associated
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: event 1 notification
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: event 4 notification
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/4 msg of 4-Way Handshake
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/4 Pairwise)
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 3/4 msg of 4-Way Handshake
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (4/4 Pairwise)
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.1X: authorizing port
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 RADIUS: starting accounting session 50E5D0CC-00000002
Jan 3 18:54:01	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: pairwise key handshake completed (RSN)
Jan 3 18:54:16	hostapd: ath0_wlan0: WPA rekeying GTK
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/2 msg of Group Key Handshake
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: EAPOL-Key timeout
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/2 msg of Group Key Handshake
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/2 Group)
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: group key handshake completed (RSN)
Jan 3 18:54:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key 2/2 Group with unexpected replay counter

That is a partial snip of the log.

Why is trying to authenticate RADIUS? (I don't have that configured)

I have the antennas explicitly assigned to snd #1/rcv #2 to avoid diversity issues, although the atheros 8290 supports it.

Other things I can try to bring stability?

Thanks!

MrRocco

Update:

Cleared the log completely.

Started up my iPhone as a client and it connect successfully. Within a few seconds the join got lost. I refreshed the log and saw the "rekeying GTK" message and the ones after it but the phone was disconnected.

hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.11: associated
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: event 1 notification
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: start authentication
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.1X: unauthorizing port
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/4 msg of 4-Way Handshake
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/4 Pairwise)
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 3/4 msg of 4-Way Handshake
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (4/4 Pairwise)
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.1X: authorizing port
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 RADIUS: starting accounting session 50E5D0CC-00000006
Jan 3 21:10:00	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: pairwise key handshake completed (RSN)
Jan 3 21:10:16	hostapd: ath0_wlan0: WPA rekeying GTK
Jan 3 21:10:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/2 msg of Group Key Handshake
Jan 3 21:10:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/2 Group)
Jan 3 21:10:16	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: group key handshake completed (RSN)

Is there something funky going on during the rekey?

Thanks!

wallabybob

Are your clients attempting to get an IP address by DHCP?

Have you had this working with encryption disabled?

MrRocco

Are your clients attempting to get an IP address by DHCP?

Yes, but not from this pfSense router. My primary router (running 2.0.1 on different HW with no WIFI) is also the DHCP server.

Have you had this working with encryption disabled?

I haven't tried it with no encryption. Since I don't have the traffic separated I didn't want an open AP on my LAN. I guess I could set up a rule on my primary to treat this as "guest" network and have WAN only access then turn of WPA2.

UPDATE

Since the previous posting, the rekeying has been working successfully. I will add a few more clients and keep testing with adding/deleting and see how stable it is.

I still remain curious about the RADIUS auth/deauth messages in the log. Can't figure out why that would be happening…

Thanks!

wallabybob

@MrRocco:

I still remain curious about the RADIUS auth/deauth messages in the log. Can't figure out why that would be happening…

I don't use radius accounting but my wireless log reports:

RADIUS: starting accounting session 50E3AB31-00000017

MrRocco

Unfortunately I still see the wifi connection drop, or the client fail to re-connect for periods of time. Somewhere in the 30s-90s range then the connection is re-established. Not as reliable as I had hoped it would be.

MrRocco

Unfortunately this is still a problem. I am surprised as to the unreliability of Wifi in pfSense at this point.

Here is a log dump after clearing and it started the rekeying event:

Jan 8 23:04:27	hostapd: ath0_wlan0: WPA rekeying GTK
Jan 8 23:04:27	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/2 msg of Group Key Handshake
Jan 8 23:04:27	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/2 Group)
Jan 8 23:04:27	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: group key handshake completed (RSN)
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.11: associated
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: event 1 notification
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: event 4 notification
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 1/4 msg of 4-Way Handshake
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (2/4 Pairwise)
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: sending 3/4 msg of 4-Way Handshake
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: received EAPOL-Key frame (4/4 Pairwise)
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 IEEE 802.1X: authorizing port
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 RADIUS: starting accounting session 50EC8297-00000006
Jan 8 23:05:06	hostapd: ath0_wlan0: STA 5c:59:48:23:00:71 WPA: pairwise key handshake completed (RSN)

The iPhone client cannot pair with the pfSense node.

Is the Atheros support that bad? Is it my settings? I'm looking for any other helpful hints. Meanwhile I will try some other things. I will try an Internet access only "guest" network and turn off all of the security and see if pairing improves.

Any pointers are helpful as I would prefer to remove my other WAPs.

Thanks!

wallabybob

@MrRocco:

I am surprised as to the unreliability of Wifi in pfSense at this point.

Please take care not to come to a hasty conclusion based on insufficient data.

I have two pfsense WiFi APs at home, one based on a PCI card with Atheros chipset, one based on USB stick with Ralink chipset. My Android phone associates with both APs for hours at a time but won't associate for more than a few seconds with the free WiFi in the local commuter rail. A number of different Windows systems in the house have no trouble associating with either AP for extended periods.

Do you have other devices that associate with the pfSense AP for long periods?

MrRocco

Sorry, not trying to be hasty. I've been testing before I posted that but I am happy to continue testing all sorts of things to get to the bottom of it.

Most of my wireless clients are things like iOS devices or printers. Everything else is wired or a production system. I will dig up an older Intel based Macbook and try many cycles of sleeping and unsleeping it on the system.

For now I did as posted and created an open wifi guest subnet with no security at all. I want to see if I have any headaches with that for a few hours.

Thanks.

A Former User

also which version IOS you running on the iPhones?

seems 6.0 has issues with WiFi… 6.1 seemed to fix issues we see in house here
(in the Lab)

We dont allow personal phones to connect to the corp network but we tend to Test
lots of stuff in the Lab that never sees the light of day outside the lab.

MrRocco

also which version IOS you running on the iPhones?

I am still running 5.1.1 but will soon be upgrading to 6.0.1

UPDATE

I have had good success with the completely open wifi and multiple clients. Now I will layer in WPA in a measured approach and see how it goes.

Thanks