Wireless Support in pfSense 2.4 (Intel 8260)

BluBoy

Hi,

I'm setting up a gateway which will use an Intel 8260 wireless as the gateway.
(I'm running virtualised, but using PCI passthrough to give the pfSense VM the raw PCI device).

I read that the Intel 8260 was not supported in FreeBSD 10, so I installed the BETA hoping the FreeBSD-11-RELEASE would assist
https://lists.freebsd.org/pipermail/freebsd-wireless/2016-November/007283.html
https://www.freebsd.org/cgi/man.cgi?query=iwm&sektion=4

The device can be seen by pfSense

pciconf -vl | grep -b2 8260

2825-none1@pci0:0:8:0: class=0x028000 card=0x20208086 chip=0x24f38086 rev=0x3a hdr=0x00
2908- vendor = 'Intel Corportion'
2945: device = 'Wireless 8260'
2978- class = network

I have added the following rules to /boot/loader.conf
if_iwm_list="YES"
iwm8000Cfw_load="YES"

But the wireless card isn't appearing as an interface as the GUI, I can't add it as a wireless interface.
I can't see it in ifconfig either.

Do I need to do anything to use the wireless card?

cozkramer

I also have a 8260 minipcie card in my rig and bought it before thinking about it.

long story short, just because it's now supported in FreeBSD 11, it still isn't supported in pfSense.

hopefully one day it will be, but not holding my breath currently. buy a cheap wifi router and set it up in AP mode, or just buy an wifi ap and plug it in.

depending on what you read, people suggest doing that anyway. personally, i'd rather have the extra lan port but whatever…

BluBoy

Well, that was interesting… It's working (yay!), but I don't know if I did it the 'right' way, or how stable it'll be in future.

My solution, was to boot up a vanilla FREEBSD-11-RELEASE VM and take the two kernel modules from there (if_iwm.ko and iwm8000Cfw.ko).
Copied them to the modules folder in pfSense 2.4, rebooted and noticed that pciconf had a small change
iwm@pci0:0:8:0: class=0x028000 card=0x20208086 chip=0x24f38086 rev=0x3a hdr=0x00

So far so good… My goal is to have the WAN be a WiFi client (VM is running on a laptop, which connects to a home WAP).
I added the interface on the wireless page, and assigned it as the WAN interface.
I attempted to configure it as a client, but there was no clear way to do this. The configuration settings in the GUI appeared to be setting it up as a WAP (not a client).

I ended up creating a /etc/wpa_supplicant.conf file with the details of my WAP and enabling that in /boot/loader.conf.local as well.
Upon reboot, the Wireless WAN had connected to my WAP and all was working well.

Now, I have no idea if my command line messing around will interfere with the GUI settings, or be overridden on upgrade.
I also have no idea how to add future WAPs, as I move between home, office and coffee shops.

My suggestions (and please point me in the right direction to lodge them more formally if they are valid).

The iwm module should be included in pfSense 2.4. This is very stable and covers a very popular range of laptops (I'm sure everyone says that though).
Please make it easier to add a wireless client as a WAN interface through the GUI (which is looking fantastic btw).
During boot with a new NIC, the command line forces the configuration of a WAN port. This won't always be the case (LAN only environments), and caused the biggest headache for me, as I needed to configure the LAN, to use the web GUI to make changes to the wireless, before I could then configure the WAN port.

I hope this makes sense to you, and even give hope to others trying to configure pfSense with a Wireless client for the WAN.

james2432

Created a redmine ticket for it as I am also in the same boat as you for my 3160NGW
https://redmine.pfsense.org/issues/7725

james2432

I've uploaded the FreeBSD 11.0-RELEASE firmware(their vmware disk image) to my dropbox(https://www.dropbox.com/s/zldajs4yd8b9w2a/iwm_firmware.tar.xz?dl=0) it contains the firmware needed for iwm. Transferred via netcat, but shouldn't be any issues with it

BluBoy

Cheers! Hopefully they can look at including a few extra drivers in 2.4

Also, hoping that it gets a better WiFi WAN support too!
Looking to make it easier to set up, and it should also reconnect when it drops out.

dotdash

iwm and the other Intel cards I've played with do not support AP mode. The most common use of wireless on pfSense is to run in AP mode. I don't thing anyone is going to put in any effort for this. Wireless in general is discouraged, and station mode is a bit of an edge case. If you really need wireless, ebay a supported Atheros card and save yourself the grief. That being said, patches are accepted if you feel ambitious.

james2432

@dotdash:

iwm and the other Intel cards I've played with do not support AP mode. The most common use of wireless on pfSense is to run in AP mode. I don't thing anyone is going to put in any effort for this. Wireless in general is discouraged, and station mode is a bit of an edge case. If you really need wireless, ebay a supported Atheros card and save yourself the grief. That being said, patches are accepted if you feel ambitious.

Seems you're right: https://man.openbsd.org/iwm.4 and https://www.freebsd.org/cgi/man.cgi?query=iwm&sektion=4

iwm supports station mode operation. Only one virtual interface may be
configured at any time. For more information on configuring this device,
see ifconfig(8).

These are the modes the iwm driver can operate in:
BSS mode Also known as infrastructure mode, this is used when associating with an access point, through which all traffic passes.

It only operates in BSS mode. and is from intel, so doubt they'd add support for Access point mode.

BluBoy

@dotdash:

Wireless in general is discouraged, and station mode is a bit of an edge case.

While I agree that wired should be used over wireless where available, I think it would be silly to ignore wireless altogether.
A greater number of consumer devices are coming in a wireless only option, my use case is in a virtual environment on my laptop (which is also becoming more common).

Not supporting wireless in station mode because it is not the preferred method of connection seems pretty short sighted, especially when alternative gateways provide the option to configure it in the GUI.

chrcoluk

bluboy yeah the modules default shipped in pfsense is a very low amount, I expect its like that because they previously supported nano installs, now people are starting to use more beefy hardware and nano is EOL, hopefully they will include a much wider range of kernel modules to support more networking hardware.

dotdash

@BluBoy:

Not supporting wireless in station mode because it is not the preferred method of connection seems pretty short sighted, especially when alternative gateways provide the option to configure it in the GUI.

Station mode is supported, the issue is someone taking the time to add drivers for hardware with cumbersome licensing that doesn't support the mode 90% of users are going to need. You can get a secondhand Atheros card for around ten bucks, or you could raise a few hundred in bounty money and see if someone takes it.

BluBoy

@dotdash:

Station mode is supported, the issue is someone taking the time to add drivers for hardware with cumbersome licensing that doesn't support the mode 90% of users are going to need. You can get a secondhand Atheros card for around ten bucks, or you could raise a few hundred in bounty money and see if someone takes it.

Interesting. The drivers don't bother me so much as it is possible to just pull them from FreeBSD 11 vanilla.
(Of interest, would it be possible for pfSense to host these drivers seperately, and allow users to just download the ones they needed? Or even just link to the FreeBSD 11 drivers?)

Station mode doesn't seem to be supported? Can you point me to where this is?
When I configured just the GUI, it didn't work and appeared to only cater for WAP mode
(Interfaces -> Wireless and then Interfaces -> WAN)

Would it be possible to clear delimitate the fact that it is a wireless client and not a WAP? I'd gladly support the project by buying gold if this could receive some attention (I know, I'm sure there are more pressing things needing attention)

If this is the intended place to configure a wireless client WAN connection, should I be submitting a ticket because it doesn't work (I haven't as I'm not sure pulling in my own iwm modules will affect the otherwise vanilla pfSense).
After adding the module files and loading them at boot, I still needed to mess with wpa_supplicant to get it to work.

dotdash

When I referred to station mode, I meant operating as an Infrastructure client, connecting to an AP.
I haven't done this for a while, so I threw an old Atheros card in a 2440 I had on my desk. Here are some notes on the process-
Added the card (and wired up the antennas), booted the box. Logged in and went to assign interfaces, set WAN to ath0. (Yours would be iwm0). Interfaces, WAN: Left v4 on DHCP, set v6 to none. Left config at BSS, checked box to enable WPA. Entered the wireless key. Unchecked block private networks. Saved. Interface was showing down, went to status, interfaces, and renewed the DHCP. Interface now shows up and has an IP, can ping out to the Internet.
This was done on a previously vanilla config, card is marked AR5BXB63, YMMV, HTH.

BluBoy

@dotdash:

When I referred to station mode, I meant operating as an Infrastructure client, connecting to an AP.
I haven't done this for a while, so I threw an old Atheros card in a 2440 I had on my desk. Here are some notes on the process-
Added the card (and wired up the antennas), booted the box. Logged in and went to assign interfaces, set WAN to ath0. (Yours would be iwm0). Interfaces, WAN: Left v4 on DHCP, set v6 to none. Left config at BSS, checked box to enable WPA. Entered the wireless key. Unchecked block private networks. Saved. Interface was showing down, went to status, interfaces, and renewed the DHCP. Interface now shows up and has an IP, can ping out to the Internet.
This was done on a previously vanilla config, card is marked AR5BXB63, YMMV, HTH.

Thanks dotdash, I really do appreciate your efforts here.

I undid most of the changes I made, so now I only have the if_iwm.ko and iwm8000Cfw.ko from FreeBSD 11.0 vanilla copied to /boot/modules (and corresponding entries in /boot/loader.conf)
(So basically, no more manual wpa_supplicant happening)

I am still connected to home_WAP.
I followed your guide, went into the WAN INTERFACE, left v4 on DHCP, v6 NONE, Using Infrastrucutre (BSS), WPA enabled.
This time I tried home_WAP-5G, ensured the rest was configured correctly, applied those changes. Then went into STATUS, INTERFACES and attempted to renew the DHCP lease.
For a brief moment, I saw that it connected… Then on the pfSense console window I had opened, I now see "iwm0: iwm_update_edca: called" scrolling by every few seconds.
... I'm guessing there is an issue with the driver, and this is perhaps why it isn't included in pfSense???

BUT! Is it an issue with 5Ghz radios? I decide to reboot and connect to a different 802.11G WAP. I reboot to start again. When pfSense reboots, it is happily connected to the home_WAP-5G access point.

So yes. I can now see you can change WAN WAPs through the GUI, although, I still think it isn't the best user experience (as it appears to be the configuration settings for setting up a pfSense WAP).
Is it possible to present different configuration options to the user depending on if they want to be a client or a AP? Maybe have the scan wireless option on the page as well (it is available under status though)

Finally, I would love to hear if any 'normal' iwm users have this issue when changing settings. I'm not sure if it is my setup (Using QEMU/KVM with PCI passthrough to pfSense with .ko files stolen from vanilla FreeBSD), or just the drivers at fault here. I have seen similar iwm errors when the laptop loses connection for a bit...

BearTM

@BluBoy:

Finally, I would love to hear if any 'normal' iwm users have this issue when changing settings.

Just adding my $0.02 to the iwm support in pfSense …

Thank you for detailing your experience

I started with a 2.3.x install, performed the 2.4.1 upgrade, and following these instructions was 100% successful!

Grabbed copy of FreeBSD Release ISO
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso

mount ISO image

copy from ISO
/boot/kernel/if_iwm.ko
/boot/kernel/iwm8000Cfw.ko
[or other iwmXXXXfw.ko firmwares as needed]

SFTP [as root] the files to pfSense (assume copied to /root directory)

SSH: [as root]
chmod 555 if_iwm.ko
chmod 555 iwm8000Cfw.ko
cp if_iwm.ko /boot/kernel
cp iwm8000Cfw.ko /boot/kernel

Either:
vi /boot/loader.conf
[add lines]
if_iwm_load="YES"
iwm8000Cfw_load="YES"
[save file]

Or through GUI:
Diagnostics / Edit File
/boot/loader.conf [Load]
[add lines]
if_iwm_load="YES"
iwm8000Cfw_load="YES"
[Save]

Interfaces / Wireless / Add
Wireless Interface Configuration
Parent Interface: iwm0
Mode: Infrastructure (BSS)
Description: Intel WiFi

Interfaces / Interface Assignments / Add
Enable Interface: [checked]
Description: WIFI
IPv4: DHCP
Persist Common Settings: [checked]
Mode: Infrastructure (BSS)
SSID: [your SSID to connect to]
WPA Enable: [checked]
WPA Pre-Shared Key: [your PSK passphrase]

Status / Interfaces
[check that everything is working]

–-

I have no issues connecting/disconnecting/reconnecting to the hotspot (or android phone) at 5GHz.
The "iwm0: iwm_update_edca: called" message only appeared once on connection

The continual update messages you experienced must have been due to a connection failure/reset/mismatch with the particular 5G access point you were using. All connections I attempt to various access points work perfectly.

NOTE: I am also using QEMU/KVM PCI passthrough running on a Ubuntu host, dedicated server - Gigabyte GA-H170N-WIFI motherboard
[P.S> I'm using the Intel 8260 as a backup WAN to a mobile hotspot, useful as emergency connection for when the (home) WAN gateway connection goes down]

gaijinboy

@BearTM:

@BluBoy:

Finally, I would love to hear if any 'normal' iwm users have this issue when changing settings.

Just adding my $0.02 to the iwm support in pfSense …

Thank you for detailing your experience

I started with a 2.3.x install, performed the 2.4.1 upgrade, and following these instructions was 100% successful!

Grabbed copy of FreeBSD Release ISO
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-bootonly.iso

mount ISO image

copy from ISO
/boot/kernel/if_iwm.ko
/boot/kernel/iwm8000Cfw.ko
[or other iwmXXXXfw.ko firmwares as needed]

SFTP [as root] the files to pfSense (assume copied to /root directory)

SSH: [as root]
chmod 555 if_iwm.ko
chmod 555 iwm8000Cfw.ko
cp if_iwm.ko /boot/kernel
cp iwm8000Cfw.ko /boot/kernel

Either:
vi /boot/loader.conf
[add lines]
if_iwm_load="YES"
iwm8000Cfw_load="YES"
[save file]

Or through GUI:
Diagnostics / Edit File
/boot/loader.conf [Load]
[add lines]
if_iwm_load="YES"
iwm8000Cfw_load="YES"
[Save]

Interfaces / Wireless / Add
Wireless Interface Configuration
Parent Interface: iwm0
Mode: Infrastructure (BSS)
Description: Intel WiFi

Interfaces / Interface Assignments / Add
Enable Interface: [checked]
Description: WIFI
IPv4: DHCP
Persist Common Settings: [checked]
Mode: Infrastructure (BSS)
SSID: [your SSID to connect to]
WPA Enable: [checked]
WPA Pre-Shared Key: [your PSK passphrase]

Status / Interfaces
[check that everything is working]

–-

I have no issues connecting/disconnecting/reconnecting to the hotspot (or android phone) at 5GHz.
The "iwm0: iwm_update_edca: called" message only appeared once on connection

The continual update messages you experienced must have been due to a connection failure/reset/mismatch with the particular 5G access point you were using. All connections I attempt to various access points work perfectly.

NOTE: I am also using QEMU/KVM PCI passthrough running on a Ubuntu host, dedicated server - Gigabyte GA-H170N-WIFI motherboard
[P.S> I'm using the Intel 8260 as a backup WAN to a mobile hotspot, useful as emergency connection for when the (home) WAN gateway connection goes down]

Hi,

I have a Gigabyte GA-Z270N-WIFI motherboard running ubuntu 16.04 and I use Pfsense as router in the virtualbox.
I have set the wireless adapter (wlp9s0) in the virtualbox as bridged and I followed your tutorial.
But unfortunately for me it didn't work.
On Pfsense it sees the adapter as em2 but in the "Wireless Interface Configuration" it shows "None available" in parent interface.

I have tried to reboot Pfsense but no luck and I also tried your tutorial from zero 3 times.
I'm using the version 2.4.3-RELEASE.

Do you know any idea that could be my problem?

Thanks in advance.

BearTM

The important detail for you is exactly what I added in the NOTE at the end:

"NOTE: I am also using QEMU/KVM PCI passthrough running on a Ubuntu host, dedicated server - Gigabyte GA-H170N-WIFI motherboard."

Since pfSense needs to directly control the hardware, this method will only work as a bare-metal or PCI Passthrough to the VM.

Because you bridged your adapter to the host, there is no WiFi card for pfSense to access in hardware.

Remove the WiFi card from your host (blacklist), add it as a PCI Passthrough to the VM in QEMU, and then it will work.

gaijinboy

Thanks for the explanation!

I'll try to do on this weekend and let you know.

gaijinboy

@BearTM:

The important detail for you is exactly what I added in the NOTE at the end:

"NOTE: I am also using QEMU/KVM PCI passthrough running on a Ubuntu host, dedicated server - Gigabyte GA-H170N-WIFI motherboard."

Since pfSense needs to directly control the hardware, this method will only work as a bare-metal or PCI Passthrough to the VM.

Because you bridged your adapter to the host, there is no WiFi card for pfSense to access in hardware.

Remove the WiFi card from your host (blacklist), add it as a PCI Passthrough to the VM in QEMU, and then it will work.

I tried once again to add it as a PCI Passthrough and I found out that my adapter is not 8260, it is 8265 :(
They already merged the kernel module into the version 12 of freebsd, but not for version 11.
So I guess I will have to wait until I can make this work