Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access second AP from clients connected to my main AP

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 1.5k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bthovenB Offline
      bthoven @Gertjan
      last edited by bthoven

      @gertjan All the vlans defined on my dd-wrt have corresponding VLAN interfaces on my pfSense; thus having their own firewall rules and dhcp servers.

      ps: you can access my dd-wrt admin page?

      GertjanG 2 Replies Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @bthoven
        last edited by Gertjan

        @bthoven said in Can't access second AP from clients connected to my main AP:

        ps: you can access my dd-wrt admin page?

        Oops.
        Ok, this is normally ruled by a very strict "Need to know" basis but I can guess I can inform you that :

        I have 3 DD-WRT devices running on my own Wifi network.

        😊

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @bthoven
          last edited by

          @bthoven said in Can't access second AP from clients connected to my main AP:

          thus having their own firewall rules

          Well, inspect them all.
          Can you see traffic coming in ? check the counter, make the rules log - or even "sniff" (packet capture) if you have to.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • T Offline
            ThatGuy
            last edited by ThatGuy

            @Gertjan and @bthoven

            Just to clarify something, “AP isolation” in consumer grade routers doesn’t do everything you think it does. AP isolation only prevents wireless clients connected wirelessly to the same AP from talking to each other. It does not prevent Wireless Clients from talking to Wired Clients. Since @bthoven has two separate DD-WRT APs connected via hard wire, AP Isolation isn’t applicable when Client A is connected to AP1 and wants to communicate with Client B on AP2. DD-WRT doesn’t work like a true Mesh network, hence there is no “controller” that rules them all.

            It’s easy to test by connecting a Wireless Client with AP Isolation turned on in DD-WRT and connecting a wired client to the switch or a free AP port. (I’m betting @bthoven has got 3 open ports on the APs as they are probably routers that have been turned into APs.) Disable the software firewalls on both wireless and wired clients. Try to ping each other and watch the replies flow. Yes, they can talk to each other even with AP isolation on. Only wireless clients attached to the same AP could not talk to each other.

            Now products from Ubiquiti with “Controllers” have “Guest Policies” that can prevent wireless clients from talking to wireless and wired clients on the network. It’s probably because their APs have some managed switch/magic sauce in them.

            ThatGuy

            bthovenB 1 Reply Last reply Reply Quote 0
            • bthovenB Offline
              bthoven @ThatGuy
              last edited by

              @thatguy Thank you.

              Only my main AP (Archer C9 wifi router turned to DD-WRT AP) is running DD-WRT.
              My 2nd wifi AP is a one-ethernet-port AP (Tplink TL-WA801ND with its stock firmware) which supports 4 multi-ssids with associating VLAN ids.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                What IPs are you actually trying to connect between?

                I assume you have those NICs bridged in pfSense? Or at least the VLANs bridged?

                You have something there that seems to be labelled 'VLAN1 tagged'.
                Is that actually a VLAN tagged 1? You should avoid using VLAN1 if at all possible.

                Steve

                bthovenB 1 Reply Last reply Reply Quote 0
                • bthovenB Offline
                  bthoven @stephenw10
                  last edited by bthoven

                  @stephenw10
                  What IPs are you actually trying to connect between?
                  e.g. 192.168.2.90 (main AP LAN)---> 192.168.8.254 (my 2nd AP network IP for admin)

                  I assume you have those NICs bridged in pfSense? Or at least the VLANs bridged?
                  no. Do I have to, why?

                  You have something there that seems to be labelled 'VLAN1 tagged'.
                  Is that actually a VLAN tagged 1?
                  I don't know because my 2nd AP VLAN ID settings do not have tagged option

                  You should avoid using VLAN1 if at all possible.
                  As mentioned in my previous reply, I did try replacing VLAN id 1 with other id number, I can no longer access internet from any clients connected to all ssids.

                  bthovenB 1 Reply Last reply Reply Quote 0
                  • bthovenB Offline
                    bthoven @bthoven
                    last edited by

                    Update: The only IP address on my 2nd AP that I can't access from hosts on my main IP is 192.168.8.254 which I assign as my 2nd AP network IP (to manage my 2nd AP via 192.168.8.254).
                    I can ping from hosts connected to my main AP to other hosts connected my 2nd AP.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG Offline
                      Gertjan @bthoven
                      last edited by

                      @bthoven said in Can't access second AP from clients connected to my main AP:

                      Update: The only IP address on my 2nd AP that I can't access from hosts on my main IP is 192.168.8.254 which I assign as my 2nd AP network IP (to manage my 2nd AP via 192.168.8.254).

                      You set the gateway on this AP2 ?
                      It should be the IP of the pfsense LAN where it is connected to .

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        If you're just routing between subnets there is no need to bridge anything. That should work fine as long as there are rules to pass the traffic in pfSense.

                        The most likely cause here is that AP2 does not allow connections to it's management interface from outside it's own subnet. At least by default, you may be able to enable it.

                        You could work past that with an outbound NAT rule in pfSense if you have to.

                        Steve

                        bthovenB 1 Reply Last reply Reply Quote 0
                        • bthovenB Offline
                          bthoven @stephenw10
                          last edited by bthoven

                          @stephenw10 Thanks. I start to believe what you said that my AP2 does not alow connections to its management interface from outside its own subnet. My Aruba AP connection with similar manner doesn't have such problem.

                          I'm not sure how to set outbound NAT rule in pfSense. Could you elaborate more? I intend to allow my main AP LAN 192.168.2.0/24 to access 192.168.8.254 (my 2nd AP).

                          Update: I create this outbound NAT, and now I can access the 2nd AP admin page from my main LAN client...Do you think the setting needs to be tweak? Will it have any side effect to any other access?
                          pfsense_tlwa801nd_outbound_nat.jpeg

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            That looks good if you need to be able to access it from any IP in the main LAN subnet.

                            You can set the address family to IPv4 only.

                            Of course it would still be better to just set that subnet as allowed in the AP if possible.

                            Steve

                            bthovenB 1 Reply Last reply Reply Quote 0
                            • bthovenB Offline
                              bthoven @stephenw10
                              last edited by

                              @stephenw10 Thanks. I changed it to ip4 only as you suggested. I may be limiting only one main LAN ip to access it.
                              I can't do anything else on my 2nd AP because it has limited setting options.
                              Thanks again.

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.