Infrastructure BSS works with no encryption and WEP, not WPA…

fthomasr

I'm having the same issue. I'm on 2.0.2 with an Atheros card in BSS mode. WPA or WPA2 I get associated but it will not grab the DHCP address which is offered to it. Conversely if I set it static and and configure a static gateway it will not pass traffic either (ping 8.8.8.8 to wireless interface inside pfsense GUI.) It shows the gateway 'offline'

Help.

@wm408:

(pfSense driven Atheros WLAN client using BSS mode) –---> "WiFi_Net" wireless network AP, wired to  -----> Local Area Network (LAN)
                                                                                                                                                             
On the LAN also exists another pfSense box that is the Internet router, serving DHCP to LAN clients.

I've been testing with BSS mode to have the Atheros card ( I renamed the interface "WLAN") act as a client to a wireless network called "WiFi_Net")

With no encryption, and WEP, the pfsense box with the Atheros card (WLAN), the interface picks up an IP address from the DHCP server (another pfsense box, which does not manage the wireless network "WiFi_Net", it just exists on the LAN... wired network).

When I enable WPA on the wirelss network "WiFi_Net", (particularly WPA2 TKIP and WPA2 AES, I tried both), I see the dhcp request from the Atheros WLAN client hit the DHCP server pfsense box on the LAN / wired network.  Then the pfsense box on the LAN / wired network replies and tries to hand off an IP address to the Atheros (WLAN client).  I don't think that the Atheros WLAN client ever receives the DHCP reply from the server and it looks like it drops it's wireless association as this point.  I also tried a static IP on the atheros interface "WLAN", no luck, (while testing with WPA2 TKIP / AES).

Does anyone have any thoughts or experience here?  Thank you.

wallabybob

Have you tried a pfSense 2.1 snapshot build?

fthomasr

No I haven't because:

A. This is in a production environment so I'm concerned about running a beta version.
B. I thought that wm408 tried that and it didn't resolve it. However I reread his post and see that once he set it to static the issue was resolved.

I might build a test box and try it. I have several in stock so it shouldn't take long. What has changed in the beta that resolves the issue?

wm408

fthomasr: So you're pinging from the pfSense gui, 8.8.8.8?

Oh… Make sure your system's default gateway is the gateway you use for the BSS (Infrastructure) adapter.

If you have WAN also... (the default),.. your searches for 8.8.8.8 will go through the WAN.

Go to: System > Routing > Gateways and make sure the gateway that you added when you configured the WLAN adapter is set as the system's "default gateway".

I suggest in production environment to have two separate storage media, if you use Compact Flash, get another one to test with so that you can jump back to your production with little work,
I jumped between some of the nightly's and there was some errors during boot up that were not so good.

I am running:

2.1-BETA1 (i386)
built on Wed Feb 13 16:46:23 EST 2013

And it has been stable, I think there's a newer version but I will wait a while before I upgrade.  :)

With these beta builds, I've found a bad problem where if I try to do BSS (infrastructure) to link to a remote wireless network, and then also run a second interface on the same physical wireless adapter (atheros) as an Access Point (AP), during boot up, the process gets stuck trying to load the second, virtual interface adapter, and essentially bricks the install.  So keep an eye out for that if you had any plans to do that, as I am NOT doing that right now.

@fthomasr:

No I haven't because:

A. This is in a production environment so I'm concerned about running a beta version.
B. I thought that wm408 tried that and it didn't resolve it. However I reread his post and see that once he set it to static the issue was resolved.

I might build a test box and try it. I have several in stock so it shouldn't take long. What has changed in the beta that resolves the issue?

fthomasr

Yes ping from pfSense GUI.

I don't want the default gateway to be the WWAN. The WWAN is to be used for failover only.

The pings to 8.8.8.8 should not go through the WAN as I am choosing interface WWAN and it has it's own defined Gateway.

wm408

@fthomasr:

Yes ping from pfSense GUI.

I don't want the default gateway to be the WWAN. The WWAN is to be used for failover only.

The pings to 8.8.8.8 should not go through the WAN as I am choosing interface WWAN and it has it's own defined Gateway.

Yes but, pfSense GUI (or BSD for that matter) doesn't know to choose that.  It assumes the system gateway to be the default if you have not changed it.

I suggest looking at the output of just typing "ping" or "traceroute", (or google), there are options to define: Through what INTERFACE should my ping/traceroute travel through.

Or, if you want to test your failover, and it is configured properly… try physically disconnecting the WAN and see if the traffic properly goes down the WWAN.

wallabybob

@fthomasr:

What has changed in the beta that resolves the issue?

The more up to date device drivers MIGHT resolve the issue.

fthomasr

There's a twist. Because the router is in a production evironment I decided to backup its configuration and restore it to an exact same model unit that I have in stock with the same firmware 2.0.1. I restored the config and it connected with DHCP with no issues to an access point I have at my office. Same Atheros wifi card, same Alix board, etc.

Differences between them since it doesn't seem to be pfSense:

At the customer site the access point is a Linksys WRT54GL with Tomato firmware with DHCP server on the access point.
At my office (where it works) is an old Buffalo WLAG54 also with Tomato firmware but DHCP is provided by my Windows server.

Same WiFi security on both, Personal WPA2 with AES, with different shared keys of course.

So it's either the difference in access point radio's, version of Tomato, or DHCP(which is the least plausible since it wouldn't work with a static IP either.)

My next step is to take my test build to the site just to make sure it behave the same and fails to connect to the Linksys… Also wm408 what access point model are you connecting to?

wm408

Hey fthomasr:

Two cases:  One of the access points was a Linksys E3000, the other was a Ruckus Wireless, (I don't know the model).

Both cases dumped me upon DHCP renewal between client (the pfsense box) and server (the remote AP(s)).

Only Static worked for me.

@fthomasr:

Also wm408 what access point model are you connecting to?

fthomasr

Ok so I took my lab router over to the site and it also could not connect to the WRT54GL no matter what WiFi security settings I tried(also DHCP or Static), despite being associated each time. I upgraded to 2.1 beta and tried DHCP. Just as wm408 no connection either. Also just as wm408 found the connection worked only with a static. This was fine for me as that's what I wanted in the end.

Thanks wm408 for starting this thread and posting your findings. It was helpful for me.

wm408

fthomasr:

Cool!  Yeah I have one set up at my office now this way.  Works good for me, I just wire to the router/nearby switch, (no wifi from my laptop).

Watch out for virtual interfaces on the same WiFi adapter.  When I tried to make an AP it (with the BSS bridge),  The Atheros I am using gets stuck on loading the interface during the boot sequence, bricking the router essentially.  Heads up anyways.

Hopefully that gets worked on someday too.

@fthomasr:

Ok so I took my lab router over to the site and it also could not connect to the WRT54GL no matter what WiFi security settings I tried(also DHCP or Static), despite being associated each time. I upgraded to 2.1 beta and tried DHCP. Just as wm408 no connection either. Also just as wm408 found the connection worked only with a static. This was fine for me as that's what I wanted in the end.

Thanks wm408 for starting this thread and posting your findings. It was helpful for me.