*AIO* All-in-one box
-
How would your pfSense box authenticate itself to the upstream captive portal? If you logged it in with your credentials would not the rest of your office be sharing your authenticated session?
Yes, the authenticated session would be shared, but that is no problem.
Which CP can you acces by IP, the local one or the upstream one?
the local one
Can you get anything from LAN?
no, I have no access to the internet on LAN
Firewall rules:
WAN has actually no rules
LAN has 3 (anti-lockout, 2x default LAN to any)
OPT1 has no rules configured -
Sorry MrCount, I think I started off by looking at this in terms of your pfSense box for you to configure rather than seeing it as a link in the chain. You may have covered all this but rather than me making assumptions lets start from scratch.
Quote
How would your pfSense box authenticate itself to the upstream captive portal? If you logged it in with your credentials would not the rest of your office be sharing your authenticated session?
Yes, the authenticated session would be shared, but that is no problem.
Perhaps not for you, but have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't. If they are aware of your project they may be able to help you (for example letting you bypass their CP) but if they are not and discover what you are doing the hard way they may get quite upset. Think of it this way, from their perspective you can either work with them or around them, and if your position were reversed which would you prefer?
As I say if you already have some agreement for this great, carry on, but if not it should be the very next thing you do.
Quote
Which CP can you acces by IP, the local one or the upstream one?
the local one
Quote
Can you get anything from LAN?
no, I have no access to the internet on LAN
Firewall rules:
WAN has actually no rules
LAN has 3 (anti-lockout, 2x default LAN to any)
OPT1 has no rules configuredYou will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.
-
have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't.
There is an agreement.
You will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.
LAN now connects to the internet.
But how can I get the AP on OPT1 to let clients through to the internet?? -
@MrCount:
have you spoken to those responsible for the upstream network? I would strongly recommend you do so if you haven't.
There is an agreement.
You will need to configure the rules for OPT1 but ignore those until you have internet working from LAN.
LAN now connects to the internet.
Glad to hear it and good to know LAN can now reach the internet.
But how can I get the AP on OPT1 to let clients through to the internet??
Only LAN is automatically set to allow traffic out. The default rule is to block all traffic unless there is a rule to allow it, so you must create rules for OPTx interfaces to allow the traffic you need. The minimum is often HTTP, HTTPS and DNS, the rest depends on what you need so consider ICMP for PING, FTP etc. If you find anything specific not working you will need to check the firewall logs to see what got blocked, and allow a rule for it.
For example, webmail may work fine but an email client may not be able to send email. This will be because webmail is passing the rule for HTTPS, but the mail client is using SMTP. You would see in the logs that traffic on port 25 (SMTP) was blocked, so allow this and repeat for whatever other services you need.
-
Okay, so for testing it would be okay if I set the following?
proto: IPv4
Source: OPT1 address
port: *
destination: *
port: *
gateway: *and
proto: IPv4
Source: *
port: *
destination: OPT1 address
port: *
gateway: * -
pfSense rules only apply on traffic arriving on the interface. Your traffic from OPT1 clients would arrive on OPT1 when leaving that network, so you should only need to use the first rule - but you have "OPT1 Address" there (a single IP on the OPT1 range I think - I don't have a pfSense in front of me right now) which should be "OPT1 Network", look at the default rules for LAN and use those as a guide.
Your second rule means "traffic (arriving on the OPT1 interface) with destination OPT1 network will pass" (I'm correcting address to network again there). Traffic destined for for the OPT1 network would arrive on another interface, not OPT1, for example it arrives on WAN and is routed to and leaves OPT1. Any traffic from the OPT1 network to the OPT1 network would go directly from client to client, it would never arrive on the pfSense OPT1 interface. Your second rule shouldn't cause any problems but it won't achieve anything either.
-
Okay, the OPT1 is up and running.
I can now access internet with new clients over the AP…;D
-
Excellent, glad it is working. The other participants in this thread sound like they would appreciate feedback on performance and reliability so do let us know how you get on.
-
I will do some performance testing at the weekend and then report back.
Thank you for your help!!!
-
Seeing how they probably draw near max of the usb spec, i would separate the two usb connectors. Like one on front and one on back, just to make sure you are drawing from two different circuits. Maybe consider a powered hub if you have problems when radio is loaded. I always worry about killing my usb ports….
Glad to hear you got it going. -
Hey guys, sorry for the delay…
There were some problems with the stability of the wireless connections on pfsense.
I switched to OPNsense to see if this problem persists.On OPNsense (http://opnsense.org/) the stability of the wireless devices is much better (my experience by now).
I will keep on testing and maybe switch back to a newer version of pfSense later. -
You may have better luck with pfSense 2.2.1 - https://forum.pfsense.org/index.php?topic=89542.msg495521#msg495521
-
You may have better luck with pfSense 2.2.1 - https://forum.pfsense.org/index.php?topic=89542.msg495521#msg495521
Thanks!!
I will test that asap. -
just tested it with 2.2.1 but system always reboots after filling the screen…
:'( :(
-
Just to check, when I suggested 2.2.1 it hadn't been released yet and was available as a preview build. It was released for production in the last 24 hours, so are you using the actual release 2.2.1?
I updated to 2.2.1 this morning, no boot issues for me but I use an Atheros Mini PCIe card. Have you tried booting without the USB wireless devices plugged in to confirm that is what stops it booting?
-
I installed the actual 2.2.1 release.
Booting without the USB wifi devices is no problem.
Started the web configuration and then plugged in the devices (run0 & run1).
After assigning them to OPT1 and WAN the system reboots. -
Even if this makes a difference I am not sure how it helps you, but could you try plugging in and assigning just the WAN USB stick? I have seen systems (not pfSense, just computers in general) struggle with two or more identical USB devices, it may not be either one but a combination of both causing the fault.
Sorry I can't help with your actual problem but if just one stick works but not both it may help someone else assist you.
-
okay, I tested it this way and plugged in only 1 USB adapter, but without luck.
The system still reboots. :( -
So, now that you have all this USB NIC experience, what will you be recommending for people considering USB NICs in the future?
-
I think that this is a problem with the internal handling (drivers?) in pfSense, because the scenario (2x USB wireless NIC for WAN and OPT1) is working on OPNsense (v15.1.7.2) without errors… 8)
If I had the option to use external APs via cable, then I would perhaps prefer this way.
But I have only 1 internal NIC (for LAN) and there is no way to install an additional card.So, my recommendation is:
If it is possible to use external APs --> use them
If it is NOT possible --> wait for working update/release (or use OPNsense instead)For now I use OPNsense, but I will switch if there is a working version of pfSense.