[solved] Simple wireless bridge doesn't allow traffic
-
I'm attempting what I think is a fairly unsurprising setup:
ISP router/modem with NAT 192.168.0.1/24 | WAN:DHCP in 192.168.0.0/24 pfSense LAN:192.168.1.1/24 -- bridge -- WLAN:no IP | | wired DHCP clients wireless clientsThe wired DHCP clients work fine, but the wireless ones do not. They connect successfully through WPA PSK but then cannot connect to any hosts.
First I'll show some config details if it helps:
Interfaces
LAN - re1 - Static IPv4 192.168.1.1/24
WAN - re0 - DHCP
WLAN - ral0 - None; auto 802.11b/g; access point; WPA2 PSK AES
WLANBR - BRIDGE0 - NoneThe bridge BRIDGE0 has members LAN, WLAN
Firewall / Rules / WLAN
Protocol IPv4+6, source *, port *, dest *, port *, gw *, queue noneAs for logs: either I'm reading them incorrectly, or they seem to indicate that everything is working.
Jun 21 20:19:44 pfSense hostapd: ral0_wlan0: WPA GMK rekeyd Jun 21 20:19:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.11: associated Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: event 1 notification Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: start authentication Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: unauthorizing port Jun 21 20:19:52 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/4 msg of 4-Way Handshake Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/4 Pairwise) Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 3/4 msg of 4-Way Handshake Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (4/4 Pairwise) Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b IEEE 802.1X: authorizing port Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b RADIUS: starting accounting session 594A807F-0000000C Jun 21 20:19:53 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: pairwise key handshake completed (RSN) Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: WPA rekeying GTK Jun 21 20:20:46 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: EAPOL-Key timeout Jun 21 20:20:47 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: sending 1/2 msg of Group Key Handshake Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key frame (2/2 Group) Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: group key handshake completed (RSN) Jun 21 20:20:48 pfSense hostapd: ral0_wlan0: STA 8c:3a:e3:4a:31:6b WPA: received EAPOL-Key 2/2 Group with unexpected replay counter Jun 21 20:19:54 pfSense dhcpd: DHCPDISCOVER from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1 Jun 21 20:19:55 pfSense dhcpd: DHCPOFFER on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1 Jun 21 20:19:55 pfSense dhcpd: DHCPREQUEST for 192.168.1.101 (192.168.1.1) from 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1 Jun 21 20:19:55 pfSense dhcpd: DHCPACK on 192.168.1.101 to 8c:3a:e3:4a:31:6b (android-fdd5c8e7e1391c12) via re1When I attempt connections from the client, I do not see any new entries in filter.log. The client is getting both IPv4 and IPv6 addresses but cannot make connections, including to the web config interface of pfSense.
Any ideas? Thank you in advance.
-
https://doc.pfsense.org/index.php/Interface_Bridges
Think you might need to tweak the following settings System -> Advanced -> System Tunables
net.link.bridge.pfil_member
net.link.bridge.pfil_bridge -
Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.
-
Do you need to complicate the situation by bridging? Wireless on a separate subnet would be simpler to achieve.
That's a very good idea. I suppose since I don't have any network printers or NAS, and don't have a burning need for filesharing between clients, this will be a good fallback if those other tunables don't work.
-
I solved the issue. My main problem is that, apparently, in the firewall rules, IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway, when separating out rules into individual IPv4 and IPv6, everything started working.
-
"IPv4+IPv6 does NOT mean "both IPv4 and IPv6". Maybe it means "IPv4 over IPv6" or something, but anyway,"
No it doesn't - it means what it says either ipv4 or ipv6.
-
No it doesn't - it means what it says either ipv4 or ipv6.
That's quite curious, because so far as I can tell, that's the deciding factor in whether all of my traffic is blocked or not. I noticed that the "default allow all LAN" rules issued with pfSense were similarly split; why wouldn't they use the combined address family if it does what it looks like it should?
-
You have to read is as the exclusive or operator XOR, either IPv4 or IPv6 but not both at the same time. A single IP packet is always one or the other but not both at the same time.
The rules are fine either as split by address family or combined, the end effect is exactly the same because the combined rule would still create the exact same states that differ by address families depending on if the first packets of the connections were IPv4 or IPv6.
-
Long story short, my setup is working now. I think a bridge is the best way to go, and I'm impressed at the way pfSense handles it. I was wrong about the IPv4/IPv6 split; having them combined is fine.
Now:
- Neither LAN nor WLAN has an IP address
- The bridge interface LANBR has static IP addresses for IPv4 and IPv6
- No firewall rules for LAN or WLAN
- Firewall rules on LANBR only
- Tunable net.link.bridge.pfil_member=0, net.link.bridge.pfil_bridge=1
