Unable to access internet from AP

renatohtpc

I have setup PS 2.2 with 4 ethernet cards/interfaces:

1. WAN - DHCP from ISP
2. LAN - 192.168.1.X with DHCP from 192.168.1.200 -> 192.168.1.254
3. Blue - 192.168.2.X with DHCP from 192.168.2.100 -> 192.168.2.130
4. Orange - DMZ 192.168.3.X

I have connected the blue interface to a netgear 3400 (192.168.2.2) setup as an AP thru its LAN port. The idea is to have an AP which is isolated from the other interfaces and only have internet access.

I am able to connect my devices to the AP, but I cannot access the internet.

I have also created the following firewall rule.

What am I missing?

Thanks
Renato

Derelict

Your firewall rules should first block things you don't want your wi-fi clients to be able to access then pass from source BLUE net to dest any, not WAN net.

renatohtpc

Thanks for the quick reply.

Do I still need to block traffic for the blue network given that it is on its own subnet?

Sorry for the trivial questions but I am very new to this.

Renato

Derelict

You need to block the traffic you want to block or it will be allowed by the pass destination any.

Maybe it would help if you describe what you're doing and what you want wi-fi users to NOT be able to access.

Nevermind.  I see.

Yeah.  Below the DNS rule you want something like:

reject IPv4 any source BLUE net dest ORANGE net
reject IPv4 any source BLUE net dest LAN net
reject IPv4 any Source BLUE net dest This Firewall (self)

then your pass IPv4 source BLUE net dest any

And you probably want to make your DNS rule TCP/UDP.

renatohtpc

Like this?

Thanks again for your help.

Renato

Derelict

Looks good.  It really doesn't matter, but you might want to be consistent for consistency's sake on the source addresses.  Either from BLUE net or from any.  For me, I like rules that do the same thing to look the same.

That should be working pretty well for you.

renatohtpc

Derelict

Thanks for your help. Now I have the AP working.

Here is another question. I clearly must not understand firewall rules!

I am trying to access the AP from the LAN network. I have the following rule on the lan.  I would have thought that these rules could allow any device on the LAN to connect to any of the other Interfaces including the BLUE interface.

If I try and go to http://192.168.2.2 I should be able to see the netgear page. I get nothing, "The connection was reset".

What am I missing?

Thanks
Renato

Derelict

Is the AP set on 192.168.2.2?  Does the AP have the proper netmask?  Can you set a default gateway on the LAN interface (that can be trouble). If not can you set static routes in the AP?  It needs to know to send traffic for anything but its own subnet (192.168.2.0/24) to pfSense for routing.  Maybe set a static route for 192.168.0.0 255.255.0.0 with a gateway of pfSense's address on that segment.

renatohtpc

Derelict

Here is a screenshot from the AP.

Thanks
Renato

Derelict

Hmm.  What happens with https?

hda

Does it matter/help if you give the AP a Static, outside the pool, i.s.o. a Dynamic. ?
I use a Zyxel 3205v2 wired to pfSense. Clients of this AP get the dynamic IP from the pfSense DHCP-server.

Derelict

There should be no DHCP server on the AP.

renatohtpc

Trying to access the AP thru the https, it fails as well.

I have setup DHCP (192.168.2.100 -> 192.168.2.130) and a list of allowed MAC addresses on the Blue Interface.  Both the AP and my wireless devices are listed as allowed MAC addresses.

Right now I am only enforcing MAC addresses to control who connects to the blue Interface.

The AP gets a fixed IP address 192.168.2.2 and my ipad gets an address from the DHCP. The AP has the DHCP disabled as it is being handled by the Blue interface.

The ipad connects to the AP and is able to access the internet in addition to the Netgear web page.

My laptop connected to the LAN still cannot.

I am at a loss!

Renato

Derelict

Why are get address/dns dynamically both checked?

renatohtpc

That's how I had it setup with IpCop.  So that the AP would get the information from the IPCOP DHCP.

Renato

Derelict

Then look in your DHCP leases for the APs MAC address and see what address your AP got and try to connect to that.

I have no idea what sort of cockamamie schemes your AP manufacturer concocted.  I would give it a static.

hda

@renatohtpc:

…
The AP gets a fixed IP address 192.168.2.2
...

W.r.t. screenshot of your post #8. First within the AP-box you should set the Static addressing and DNS to pfSense-server. So not a double entry in pfSense DHCP-leases due to dynamic & static. Do not allow the AP address as a dynamic. Secondly set the AP static in pfSense DHCP-server, of course with the correct MAC.