Guest Wi-Fi using on-board adapter
-
I looked around on the forum, but couldn't find a previous post in the last year that answers this question.
I have a mini-pc from Protectli (https://amzn.com/B0742P83HY) running pfSense 2.4.1-RELEASE (amd64). I added a mini PCIe wireless card (https://amzn.com/B01N9YVN6T) to the machine.
The box boots fine, recognized the hardware, and I was able to add the wireless interface/network port (run0_wlan0) from the Interfaces > Wireless page.
I then assigned run0_wlan0 to an interface named "WLAN", gave it a static IP and setup a DHCP server. I can connect to the SSID broadcast by this interface and I am assigned an IP in the range configured by the DHCP server for that interface.
I also created a firewall rule in Firewall > Rules > WLAN that allows 'any' source to 'WLAN address' and 'WLAN address' to 'any' destination.
The problem I am facing is even though I can connect to the wireless network and am assigned an IP, I can't seem to reach the internet. I do seem to be able to access servers on my LAN interface though.
What I would like to do is:
1. Allow traffic on the "WLAN" interface to get to the internet
2. Block all other traffic on the "WLAN" interface -
Does Protectli have a support number?
-
I don't know. Are you sure this is a hardware issue? I think this is a firewall/rule issue because I can reach network resources.
Also, I had originally configured this with my LAN & WLAN bridged, and set the 'bridge' port to the 'interface' that had a static IP and DHCP server associated to it. When I did this, I could connect to the wireless and reach the internet as well as the local lan.
-
I'm just wondering why you give them money then post here looking for free support.
You will find that I am fairly opposed to trying to use the wifi stack in FreeBSD/pfSense and that you should just use an external access point like everyone else.
If you want to use an internal wifi adapter, ask Protectli for assistance.
-
Derelict, you could say the same thing in a much nicer (less rude) way. pfSense is open source software, and it is very common for open source software to have a community where users can post questions and get them answered, often by other users.
I do not believe the problem is with the hardware, but rather a configuration issue in pfSense itself. Which is why I came to this community for assistance rather than contacting the vendor.
I would rather not mess with an external access point & a managed switch with a VLAN. At the time it felt like a simpler and more cost effective solution to just use an on-board wireless adapter.
I'm just wondering why you give them money then post here looking for free support.
You will find that I am fairly opposed to trying to use the wifi stack in FreeBSD/pfSense and that you should just use an external access point like everyone else.
If you want to use an internal wifi adapter, ask Protectli for assistance.
-
You got the best answer available.
Stop trying to use an in-built wireless card and put a real access point out there.
-
Have you tried replacing WLAN address with WLAN net for your firewall rules?
-
Beat me to it :)
-
@biggsy
haha Sorry. Did not mean to steal your thunder. -
For anyone that runs into this problem in the future, I found the issue. I needed to setup my Outbound NAT. Once I did that and added a firewall rule to block traffic to "LAN net" I had what I wanted. Connections to the WLAN can access the internet (the Outbound NAT fixed this) and could not access my local network (firewall rule to block "LAN net" fixed this).
This was not a hardware problem, and really wasn't a Wireless issue. I was able to find the troubleshooting guide below once I viewed my WLAN as LAN since it is just another interface/NIC on my pfSense device.
This guide was extremely helpful: https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
-
"I needed to setup my Outbound NAT."
You would only have to do that if you had changed the outbound nat from automatic. Any time you give pfsense an address on an interface, be it a physical interface (wired or wireless) or a vlan.. It would auto create the outbound nat rule for you.
-
"I needed to setup my Outbound NAT."
You would only have to do that if you had changed the outbound nat from automatic. Any time you give pfsense an address on an interface, be it a physical interface (wired or wireless) or a vlan.. It would auto create the outbound nat rule for you.
I think I had done that as part of setting up OpenVPN. I don't recall if it was for configuring my client or server instance of OpenVPN. I don't know if this is/was required, but it was in the guide I found and followed.
-
I'm just wondering why you give them money then post here looking for free support.
You will find that I am fairly opposed to trying to use the wifi stack in FreeBSD/pfSense and that you should just use an external access point like everyone else.
If you want to use an internal wifi adapter, ask Protectli for assistance.
With all due respect, I think that reply is beneath you.
You could have not replied, or stuck with the fact that an external AP is best practice. If someone has an APU, do they need to contact PC Engines? Are they also not welcome to get support from fellow users on a public forum? This is an open forum and users should be allowed to ask questions of the community whether they loaded pfSense on an ADI, an APU, and old Dell server, an HP thin client, or a Chinese mini pc.
You are a mod and one of the most respected and helpful members of this forum. Maybe I'm reading it wrong, but you sounded like you didn't want to help the user just because you disapproved of his hardware choice. -
Yeah. You're probably right.
-
No he is not right..
Derelict you are the most honest and upfront mod here…
If anything you were more than extra polite... Yes community support is free, which means you might not always be doing flips over what you get ;)
dotdash seems to be confusing that Derelict gets some bucks from pfsense/netgate for being here, and that he is also part of this community. So has as much right to his opinion as anyone else.. If he doesn't suggest/support wifi on pfsense, that is his opinion - if he suggest you call the company you bought your hardware from for support vs ask on a public that is his right as a human being..
Be it by the community or the staff... Its been a known fact since pfsense came out - been here since the start myself that wifi on it sucked... Its not pfsense fault.. Freebsd wifi support has always been crap... Pfsense did the best they could to support it in their product..
You can tell from the store where you can buy pfsense/netgate hardware that they recommend you handle your wifi outside of pfsense.. I personally think ever even suggesting to even attempt to run wifi out of the pfsense box as AP was a mistake.. And ever even offering the option to buy wifi cards to put in the box was just promoting the mistake.. They should of discouraged use of wifi cards in pfsense as AP from day 1.. With bold blinking RED/Gold letters ;) It as a wan connection would be different - bu that is a whole different ball game and use case.
Sorry dotdash.. But to be honest you just suggested the OP contact the maker here
https://forum.pfsense.org/index.php?topic=140147.0With what the OP posted you have ZERO info to go off of.. Doesn't point to hardware, doesn't point to software.. Your guess to what the problem is "brick" - But you call out a guess and tell him to call the hardware maker.. Why should derelict not get same freedom?
I think your other post was pretty rude to be honest and very offended that you suggest the poster on a free community forum should have to call the maker of said hardware for help vs dropping to a knee to help him.. I mean really...
How is that any different than what Derlict did??
-
This is getting a bit overblown. Especially as, while we don't always agree 100%, I think you (johnpoz), and Derelict are two of the most helpful people on the board. Yes, I suggested a user contact the reseller- for a hardware issue.
The point I was trying to make, is that a wireless board exists, where people can presumably ask questions about using wireless cards in the actual firewall. Telling them it is not best practice is fine. What I thought was out of line was (and perhaps I was reading too much into it) that a new user was being told that he was not deserving of help because he bought some hardware that a mod did not approve of. I have lots of 'official' hardware, and have in the past told people that they should get some decent hardware (like an adi) when they were running on flaky garbage. The OP had a configuration question. I don't like the implication that if you don't have approved hardware, you are not welcome to ask questions. I don't think Derelict meant that, but his response was not in his usual character. How about I buy the fist round of Old Man Grumpy Ale http://www.gooseisland.com/our-beers/old-man-grumpy and we can all get back to normally scheduled programming?
