Unable to access Internet from WIFI AP
-
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me
inet 192.168.3.7 netmask 0xffffff00 broadcast 192.168.3.255
nd6 options=201 <performnud,dad>media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)
status: activeFurthermore, in the interface assignment IP is selected as 192.168.2.3/24 So, the subnet mask is correct. Using the same gateway I am able to get to the internet in "LAN" interface. Just not in "WIFI"
@Jackish Ethernet should be connected to LAN port so I can use it as a wireless switch I believe. Since, above is failing I think the issue is with pfsense interface somewhere. Unable to find exactly where.</full-duplex,flow-control,energy-efficient-ethernet></performnud,dad>
-
Hello everyone,
I have been unable to get my wifi AP to get to the internet.
It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP.
So far, I have LAN as 192.168.2.1
WIFI as 192.168.3.1
IPMI which I am planning to use for all my server management interface set as 192.168.4.1I have set up rules for wifi to allow for any to any connection.
I have set up my outband NAT as automatic.
I cannot see anything getting blocked in firewall either.
My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.
Really appreciate if you could advise what to check for.
Cheers,
Ethernet should be connected to WAN on your AP, or do you mean that Ethernet is conencted from LAN on pfsense?
No it shouldn't you'll get a double NAT if you use the WAN port, use one of the LAN port.
-
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me
So your laptop can't access the internet when connected to the port the ISP router connects to then ?
If this is the case it's an issue with your config on the pfsense router.
What's the output from netstat -rn when you connect the laptop to the wifi lan port ?
-
@NogBadTheBad I have tried connecting the cable directly to my laptop(Macbook Air). Still same issue ifconfig gives me
So your laptop can't access the internet when connected to the port the ISP router connects to then ?
If this is the case it's an issue with your config on the pfsense router.
What's the output from netstat -rn when you connect the laptop to the wifi lan port ?
Just so that we are on the same page want to clear something.
I have 4 interface in my pfsense.
WAN, LAN, WIFI, IPMI
LAN is connected to switch which has multiple computers connected which is connecting to internet fine. LAN interface has subnet 192.168.1.1/24
WIFI has ISP provided router connected as AP with DHCP disabled in LAN port with subnet 192.168.3.1/24. Wifi is on, I am able to connect devices to it get IP address assigned but unable to get internet access. Unable to ping 192.168.3.1 (WIFI interface IP). I have tried connecting my laptop instead of wifi AP and I wasn't able to get to the internet so same issue.
IPMI is not physically connected at the moment.
Furthermore, I also have two VPN client running which has selective routing enabled with two interface VPNIN and VPNUS, One VPN Server which is running perfectly fine.
The output of netstat is as follows:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.3.1 UGSc 6 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 530 lo0
169.254 link#4 UCS 0 0 en0
192.168.3 link#4 UCS 0 0 en0
192.168.3.1/32 link#4 UCS 2 0 en0
192.168.3.1 ac:1f:6b:10:cf:e5 UHLWIir 29 71 en0 1191
192.168.3.3/32 link#4 UCS 1 0 en0
224.0.0/4 link#4 UmCS 2 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 4 en0
255.255.255.255/32 link#4 UCS 0 0 en0This is with Wifi connected via AP.
Really appreciate your input so far.
-
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.3.1 UGSc 6 0 en0
127 127.0.0.1 UCS 0 0 lo0Default gateway is fine too.
-
So far, I have LAN as 192.168.2.1
Because your WAN is 192.168.1.x ?
WIFI as 192.168.3.1
Why ???
Make it's LAN IP 192.168.2.2/24 and you'll be fineMy AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.
You should be able to stop all "router" functions. Your AP should be a dumb "electrical wire signal" to "radio signal" converter.
DHCP off - DNS off - gateway to IP pfSense LAN = 192.168.2.1 - DNS server set to 192.168.2.1 - mask /24 -
No for WAN I get DHCP from my ISP. And I had all my machines setup for 192.168.2.1/24 from long time ago that is why I have it set up as 2.1 no real reason.
WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface.
My AP is definately a dump AP with all function turned off. (Apologies on using the term "router")
Appreciate your help.
-
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.3.1 UGSc 6 0 en0
127 127.0.0.1 UCS 0 0 lo0Default gateway is fine too.
Yeah, really pulling my hair out here. I have been using pfsense for a while the only difference is I had these interface bridged before. I want to setup different subnet so my wifi connection cannot talk to my LAN and IPMI subnets.
-
that is the outbound of your laptiop netstat? Why do you have /32 bit mask set
"192.168.3.1/32"
And then this?
"192.168.3.3/32"
And you have that set on a wired interface en0
-
that is the outbound of your laptiop netstat? Why do you have /32 bit mask set
"192.168.3.1/32"
And then this?
"192.168.3.3/32"
And you have that set on a wired interface en0
The two /32's seem to be a MacOS thing, I see them on my Mac one is the default gateway the other the actual device.
mac-pro:~ andy$ netstat -rn
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 172.16.2.1 UGSc 50 6 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 8 3282 lo0
169.254 link#6 UCS 0 0 en0
172.16.2/24 link#6 UCS 4 0 en0
172.16.2.1/32 link#6 UCS 1 0 en0
172.16.2.1 0:8:a2
9d:cb UHLWIir 7 1 en0 286
172.16.2.6 6c:70:9f:d8:3b:4e UHLWI 0 0 en0 1074
172.16.2.20/32 link#6 UCS 0 0 en0
172.16.2.23 a8:20:66:10:fc:b7 UHLWI 0 0 en0 1075
172.16.2.40 40:9c:28:a2:e0:7e UHLWI 0 6 en0 1060
172.16.2.41 d0:4f:7e:85:d9:be UHLWI 0 41 en0 449
192.168.12 link#19 UC 1 0 vmnet1
192.168.33 link#20 UC 1 0 vmnet8
224.0.0/4 link#6 UmCS 1 0 en0
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
255.255.255.255/32 link#6 UCS 0 0 en0What I see but don't in the OPs netstat is a /24 like my entry in green.
-
…..
WIFI is 192.168.3.1 because it I want it to be in different subnet. Unable to set IP as 192.168.2.2/24 as that would overlap with "LAN" interface.All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **.
On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble.
-
All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **.
On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble.
This is exactly the case. NTP and DNS is definitely handled by pfsense. My AP is wireless switch in different subnet. If you have a look at my OP you can see the pfsense getting DNS request. As discussed before even without the converted AP laptop getting connected to the pfsense port/interface directly I am having same issue. That rules out this as an issue with AP I believe.
-
All my AP's have IP's like 192.168.1.2 - 192.168.1.3 etc (LAN being 192.168.1.1/24) , because they are 'dumb' converters **.
On your Wifi network you mus have a DHCP server, is this pfSense ? So it hand out IPs from pool like 192.168.2.[x-y] == LAN ? Or is your AP handing out IPs from 192.168.3.[x-y] (and in that case your AP IS a router … not a dumb device anymore)** and I want my AP's using pfSense as a gateway for their internal domestic services like NTP, DNS etc. If the IP of a AP is not in the network where it is situated, your in trouble.
This is exactly the case. NTP and DNS is definitely handled by pfsense. My AP is wireless switch in different subnet. If you have a look at my OP you can see the pfsense getting DNS request. As discussed before even without the converted AP laptop getting connected to the pfsense port/interface directly I am having same issue. That rules out this as an issue with AP I believe.
All the AP is doing is bridging the LAN to Wi-Fi.
If it doesn't work when connecting directly to the ethernet port it's not an issue with the AP.
Run the command in red to verify what is providing DHCP.
Last login: Thu Feb 1 20:22:19 on console
mac-pro:~ andy$ ipconfig getoption en0 server_identifier
172.16.2.1
mac-pro:~ andy$I think you might need to start doing packet captures on the pfSense interfaces.
-
Just a thought, you mentioned you'd once had the interfaces bridged.
You have changed back the following :-
net.link.bridge.pfil_member
net.link.bridge.pfil_bridgeAs these would cause filtering on the bridge only.
https://doc.pfsense.org/index.php/Interface_Bridges
-
@NogBadTheBad At work so just vpnd home and checked
net.link.bridge.pfil_member
net.link.bridge.pfil_bridge as suggested and it appears to be off.Please see attached screenshot.
Looks like I will have to run packet capture tonight.
-
Hello everyone,
I have been unable to get my wifi AP to get to the internet.
It is connected to the different interface. DHCP works and I am able to get DHCP on the subnet. However, I cannot connect to the internet. Cannot ping subnet IP.
So far, I have LAN as 192.168.2.1
WIFI as 192.168.3.1
IPMI which I am planning to use for all my server management interface set as 192.168.4.1I have set up rules for wifi to allow for any to any connection.
I have set up my outband NAT as automatic.
I cannot see anything getting blocked in firewall either.
My AP is the router provided by my ISP and DHCP has been turned off and Ethernet is connected to LAN.
Really appreciate if you could advise what to check for.
Cheers,
Ethernet should be connected to WAN on your AP, or do you mean that Ethernet is conencted from LAN on pfsense?
No it shouldn't you'll get a double NAT if you use the WAN port, use one of the LAN port.
That is not necessarily true. If you set the router to AP mode, DHCP will not be enabled and there will not be double NAT. Hell, I use the very same setup myself, i.e Pfsense (LAN) -> switch -> (WAN) Asus router -> Wifi clients.
If I switch the cable from WAN to LAN on the Asus router (when in AP mode), it doesn't work. And why would it, any simple consumer router expects upstream connection on the WAN port, not the LAN port.
-
If you use the wan interface on a ADSL or cable Wi-Fi router you'll be routing between its wan interface and the lan & Wi-Fi interface.
There will be a NAT of your public IP address on the pfSense router then another on your ADSL or cable Wi-Fi router.
Many here will agree.
-
@NogBadTheBad At work so just vpnd home and checked
net.link.bridge.pfil_member
net.link.bridge.pfil_bridge as suggested and it appears to be off.Please see attached screenshot.
Looks like I will have to run packet capture tonight.
Hmm i'm stumped then.
-
If you use the wan interface on a ADSL or cable Wi-Fi router you'll be routing between its wan interface and the lan & Wi-Fi interface.
There will be a NAT of your public IP address on the pfSense router then another on your ADSL or cable Wi-Fi router.
Many here will agree.
Probably missed the distinction between cable/adsl router and "normal" counsumer router (without modem). I would assume that they would work in a similar fashion. Please disregard my comments if they dont!
-
Ok, the DHCP server is definately pfSense we can put that issue to bed. It is not an issue with DHCP.
$ ipconfig getoption en0 server_identifier
192.168.3.1The packet capture is as below:
23:37:23.564678 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 504
23:37:23.564893 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
23:37:23.564968 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
23:37:23.565379 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
23:37:23.565381 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
23:37:23.566058 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
23:37:23.566376 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
23:37:23.567298 IP 192.168.3.3.50299 > 192.168.3.1.53: UDP, length 42
23:37:23.619931 IP 192.168.3.3 > 224.0.0.2: igmp
23:37:23.621867 IP 192.168.3.3 > 224.0.0.2: igmp
23:37:23.678451 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 381
23:37:23.691769 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 291
23:37:23.717323 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 252
23:37:23.718800 IP 192.168.3.1.5353 > 224.0.0.251.5353: UDP, length 1096
23:37:23.765310 IP 192.168.3.3.40827 > 192.168.3.1.53: UDP, length 46
23:37:23.828317 IP 192.168.3.3.16403 > 17.173.254.222.16384: UDP, length 16
23:37:23.828546 IP 192.168.3.3.16403 > 17.173.254.222.16385: UDP, length 16
23:37:23.829258 IP 192.168.3.3.16403 > 17.173.254.223.16386: UDP, length 16
23:37:23.912807 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
23:37:23.912928 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
23:37:23.912988 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
23:37:23.913119 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
23:37:23.913244 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
23:37:23.913475 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
23:37:23.914281 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
23:37:23.949944 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
23:37:23.950247 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
23:37:23.952349 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
23:37:24.050275 IP 192.168.3.3.21751 > 192.168.3.1.53: UDP, length 34
23:37:24.050803 IP 192.168.3.3.25910 > 192.168.3.1.53: UDP, length 32
23:37:24.499358 IP 192.168.3.3.59259 > 192.168.3.1.53: UDP, length 42
23:37:24.522294 IP 192.168.3.3.27118 > 192.168.3.1.53: UDP, length 37
23:37:24.555107 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
23:37:24.559538 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
23:37:24.559573 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
23:37:24.559616 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
23:37:24.559729 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
23:37:24.559840 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
23:37:24.559960 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
23:37:24.566590 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 676
23:37:24.777339 IP 192.168.3.3.61863 > 192.168.3.1.53: UDP, length 46
23:37:24.894125 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
23:37:24.894372 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
23:37:24.894379 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
23:37:24.895705 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
23:37:24.896116 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
23:37:24.898720 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
23:37:24.908239 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
23:37:24.944160 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
23:37:24.946450 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
23:37:24.955006 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
23:37:25.050644 IP 192.168.3.3.64095 > 192.168.3.1.53: UDP, length 39
23:37:25.051365 IP 192.168.3.3.26479 > 192.168.3.1.53: UDP, length 35
23:37:25.057382 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
23:37:25.062321 IP 192.168.3.3.65264 > 192.168.3.1.53: UDP, length 34
23:37:25.063264 IP 192.168.3.3.30159 > 192.168.3.1.53: UDP, length 32
23:37:25.457114 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
23:37:25.457435 IP 192.168.3.1.67 > 192.168.3.3.68: UDP, length 300
23:37:25.502920 IP 192.168.3.3.59259 > 192.168.3.1.53: UDP, length 42
23:37:25.533404 IP 192.168.3.3.47607 > 192.168.3.1.53: UDP, length 37
23:37:25.918699 IP 192.168.3.3.16403 > 17.173.254.222.16384: UDP, length 16
23:37:25.919224 IP 192.168.3.3.16403 > 17.173.254.222.16385: UDP, length 16
23:37:25.919245 IP 192.168.3.3.16403 > 17.173.254.223.16386: UDP, length 16
23:37:26.061372 IP 192.168.3.3.44341 > 192.168.3.1.53: UDP, length 39
23:37:26.062385 IP 192.168.3.3.27684 > 192.168.3.1.53: UDP, length 35
23:37:26.563862 IP 192.168.3.3.55736 > 192.168.3.1.53: UDP, length 57
23:37:26.563955 IP 192.168.3.3.56214 > 192.168.3.1.53: UDP, length 58
23:37:26.564059 IP 192.168.3.3.53338 > 192.168.3.1.53: UDP, length 58
23:37:26.564180 IP 192.168.3.3.56221 > 192.168.3.1.53: UDP, length 40
23:37:26.564286 IP 192.168.3.3.61273 > 192.168.3.1.53: UDP, length 41
23:37:26.564403 IP 192.168.3.3.52096 > 192.168.3.1.53: UDP, length 41
23:37:26.564678 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
23:37:26.796549 IP 192.168.3.3.50352 > 192.168.3.1.53: UDP, length 46
23:37:26.895081 IP 192.168.3.3.53145 > 192.168.3.1.53: UDP, length 27
23:37:26.895316 IP 192.168.3.3.54839 > 192.168.3.1.53: UDP, length 31
23:37:26.895988 IP 192.168.3.3.54295 > 192.168.3.1.53: UDP, length 50
23:37:26.896813 IP 192.168.3.3.61340 > 192.168.3.1.53: UDP, length 42
23:37:26.896988 IP 192.168.3.3.55505 > 192.168.3.1.53: UDP, length 30
23:37:26.899847 IP 192.168.3.3.49284 > 192.168.3.1.53: UDP, length 50
23:37:26.909471 IP 192.168.3.3.63063 > 192.168.3.1.53: UDP, length 43
23:37:26.945472 IP 192.168.3.3.65212 > 192.168.3.1.53: UDP, length 48
23:37:26.948210 IP 192.168.3.3.56222 > 192.168.3.1.53: UDP, length 48
23:37:26.953529 IP 192.168.3.3.50907 > 192.168.3.1.53: UDP, length 35
23:37:27.064980 IP 192.168.3.3.56400 > 192.168.3.1.192: UDP, length 4
23:37:27.083498 IP 192.168.3.3.63089 > 192.168.3.1.53: UDP, length 34
23:37:27.084380 IP 192.168.3.3.49699 > 192.168.3.1.53: UDP, length 32
23:37:27.129341 IP 192.168.3.3.52371 > 192.168.3.1.53: UDP, length 42
23:37:27.555757 IP 192.168.3.3.53540 > 192.168.3.1.53: UDP, length 37
23:37:27.573832 IP 192.168.3.3.5353 > 224.0.0.251.5353: UDP, length 676
23:37:27.775351 IP 192.168.3.3.55105 > 192.168.3.1.53: UDP, length 39
23:37:27.799915 IP 192.168.3.3.50352 > 192.168.3.1.53: UDP, length 46
23:37:28.084606 IP 192.168.3.3.63089 > 192.168.3.1.53: UDP, length 34
23:37:28.084660 IP 192.168.3.3.49699 > 192.168.3.1.53: UDP, length 32
23:37:28.084937 IP 192.168.3.3.57463 > 192.168.3.1.53: UDP, length 39
23:37:28.085387 IP 192.168.3.3.62478 > 192.168.3.1.53: UDP, length 35
23:37:28.133873 IP 192.168.3.3.52371 > 192.168.3.1.53: UDP, length 42
23:37:28.559770 IP 192.168.3.3.53540 > 192.168.3.1.53: UDP, length 37
23:37:28.779774 IP 192.168.3.3.55105 > 192.168.3.1.53: UDP, length 39
23:37:29.088963 IP 192.168.3.3.57463 > 192.168.3.1.53: UDP, length 39
23:37:29.089067 IP 192.168.3.3.62478 > 192.168.3.1.53: UDP, length 35In this I have tried to go to a website and tried pinging the server. Somehow the DNS request is getting to the server but not the ICMP. And there is no TCP traffic just DNS.
I am perplexed why pfsense is not answering. Please note the packet capture file is in cap format.
