Wired APs drop internet access but not LAN, help
-
I have wired APs that provide wifi around the house. Every once in a while, maybe once a week on average, I will lose internet connection on the APs over wifi. Anything I have hardwired through the main switch works perfectly as it should. Even on wifi, I can still connect back to pfSense. It takes longer to initially get in to the admin/backend, but once it loads then it is snappy and quick as you would expect. I just don't have access outside of the LAN at this point when connected to wifi.
I'm not quite sure where to begin troubleshooting this issue. Any guidance or suggestions would be greatly appreciated. Thanks in advance for any assistance that points me in the right direction.
-
Do you have real access points? Or are you using routers, possibly connected via the WAN port?
-
I have 3 different APs and they will all go down, with respect to internet access, at the same time.
One is an airport express, apple base station router, and another is a netgear router. They are all setup in AP mode with static IPs. It doesn't matter if I have just one connected to the network or all of them.
Another thing to note is that I can power cycle one of them when they all go down and that still doesn't change the connectivity of that APs wifi ability in regard to internet access.
This leads me back to pfsense. The only package I have installed is iperf and it was doing this before iperf. This has been something it has been doing for years and it has done it before and after upgrades. It is just something I would like to get figured out. I CAN live with it, but it just annoys me more than anything.
-
That doesn't sound like something pfSense would cause. Do devices connected via WiFi only lose Internet access? Can they still reach other things on the network?
-
Yes, that is correct. They will only lose internet access. I can still connect to anything on the LAN. The thing I do notice is that it takes a while to connect back to the pfsense admin when trying to login over wifi. Once it logs in then it works quickly as it normally would.
Is there a log that may give me some clues on this? I've tried to do pings and traceroutes, but it didn't really provide much insight as to what was happening as they weren't specific enough to show each device hop.
The static IPs assigned are outside of the DHCP range, so there wouldn't be a conflict there causing something weird.
-
That one AP affects others makes me think there's an address conflict. Do all three have different IPs? I don't suppose you might have cloned their MAC addresses at some time. Do the devices connected via WiFi maintain the WiFi link? What happens if you ping pfSense from one of those devices? Also, pfSense has Packet Capture, which can be used to capture packets for examination.
-
It's not one ap that affects others. When they "go down" they all do at the same time.
They have different IPs and mac addresses. I just checked this again.
Yes, the devices maintain the wifi link with the AP, they just can't connect to outside the LAN.
I believe I can ping pfsense since I can log in to it over wifi through the APs. I can not actively check/troubleshoot because the system is up right now. I can look at settings and how to take a look at logs etc... for when it happens again.
I've never used packet capture. Is there a way I can more closely monitor a request to ping something outside of the network? That way I can see each device hop. I can take a look at the package capture as well to see if it hits pfsense and what it is trying to do.
Any troubleshooting tips, tools, logs to look at etc... as I'm quite familiar with most of the network related things, but don't know a whole lot about trouble shooting.
-
For problems like this, you have to take things one step at a time.
Check addresses, check connections.
If you can ping pfSense, can you ping 8.8.8.8? If so, can you ping www.yahoo.com?Like any other problem, it's a matter of breaking it down into smaller pieces.
I have been running pfSense for over 3 years and never had a problem with WiFi.
-
I agree, it is a strange issue indeed. I have been running pfsense for probably 7-8 yrs.
I can say without certainty that I can not ping 8.8.8.8. I have tried this when it has gone down.
-
Try running Packet Capture, it's located on the Diagnostics page. Filter on IPv4 and the IP address of some device connected via WiFi. Try pinging 8.8.8.8 again, and see what turns up in the capture.
Also, what response do you get when you ping 8.8.8.8 and it fails?
WiFi is effectively a bridge between the wireless device and the LAN. It should be transparent, as though the device was directly connected to the LAN.
-
Thanks for the troubleshooting step. I will have to wait for the APs to go down again before I can try that. I will post up as soon as they do. Sometimes it does it once a week and sometimes it does it a couple times a day. I would say on average it is once or twice a week.
-
It is something associated with openVPN. I was able to simply restart just this service after looking at some logs and deducing that perhaps that could be it.
I was able to ping EVERYTHING on the network. Once I tried to ping anything outside the network then it failed with 100% packet loss.
Jul 9 00:15:02 openvpn NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 9 00:15:48 openvpn RESOLVE: Cannot resolve host address: nl.privateinternetaccess.com:1198 (hostname nor servname provided, or not known)
Jul 9 00:16:35 openvpn RESOLVE: Cannot resolve host address: nl.privateinternetaccess.com:1198 (hostname nor servname provided, or not known)
Jul 9 00:16:35 openvpn Could not determine IPv4/IPv6 protocol
Jul 9 00:16:35 openvpn SIGUSR1[soft,init_instance] received, process restartingOpenVPN was no longer connected to the VPN service at this point. the moment it restarted it regained connection and everything began working again.
-
That doesn't make sense. An OpenVPN problem should have affected everything, not just WiFi stuff.
-
Are the wifi access points connected to the same interface, same subnet, as wired devices that are not disconnected?
Steve
-
Yes, everything is connected to the same device and the same interface.
By default, everything goes through open vpn, however the firewall rules I have specific IPs that I can allow to pass by the VPN and be routed without VPN.
It does not matter if the wifi device has been granted the ability to not go through openVPN or not, it will not have internet access.
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
Yes, everything is connected to the same device and the same interface.
Please draw how you have this connected... And lets be 100% sure that these devices are actually AP.. Since what you say makes zero sense...
What are the IPs in play here? Pfsense doesn't know if a client is wired or wireless... So if your policy routing device with IP 1.2.3.4 out your vpn, and your vpn goes down then sure that makes sense. So all of your wireless devices get IP in range that you policy route out? Lets see your actual rules..
And if I change rule for IP 1.2.3.4 to not policy route, then it would not policy route it.. You will want to make sure you kill any old states for that IP.
-
I've been baffled myself as it has never made much sense to me either in the way that it happens.
I have changed some openVPN settings/configurations. I am not seeing any errors or weird things in the logs, so I think I'll be watching to see if it goes down again.
It is possible that it was only traffic going through the VPN that was effected. I swore I checked a device that wasn't routed through the VPN and it didn't work, but I'm starting to think I must be wrong on that.
-
Reading this guide on PIA and OpenVPN: https://www.ovpn.com/en/guides/pfsense
I'm not quite sure what these are or if they are necessary to change as suggested. I have not seen them mentioned in any other guide.
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked
Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the firewall is checked
-
You would not ant dns from your isp - this is a given, and really should always be checked.. Since its pointless when you resolve which is pfsense default.
If you uncheck to let pfsense to use itself for dns - then it would have to be able to use something else for dns.. And it wouldn't be able to resolve any of your local stuff if not asking itself for dns. ie resolver or forwarder - 127.0.0.1
Neither of those two optioins have anything to do with your issue!!
-
@Live4soccer7 said in Wired APs drop internet access but not LAN, help:
Deselect, so that Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked
Select, so that Do not use the DNS Forwarder or Resolver as a DNS server for the firewall is checkedThanks!
If I'm reading your statement correct, then the following would be the correct selection for those two options:
Check This Box: Allow DNS server list to be overridden by DHCP/PPP on WAN
Do NOT Check this Box: Do not use the DNS Forwarder or Resolver as a DNS server for the firewall
Edit, I believe the issue was a cert/security algorithm issue with PIA. For whatever reason it wasn't negotiating the correct algorithm, but was still compensating for it on the PIA side. I was seeing an error associated with this. I had to change the cert, port, algo etc... Since doing that, I haven't seen any errors.
Jul 9 00:50:56 openvpn WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
I currently have a ticket open with them to hopefully get the correct algos working properly. As of now, I have not seen near as much in the logs.
