Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireless interface & Bridge weirdness

    Scheduled Pinned Locked Moved Wireless
    9 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deajan
      last edited by

      Hello,

      I'm changing my old VIA C7 pfSense box to a newer (and cheap) all integrated model (see http://www.pondesk.com/product/Intel-J1900-4-LAN-NIC-Firewall-Router-WiFi-Fanless-Mini-PC_MNHO-022 ).

      I've setup my system the same way I usually do:
      bridge WLAN + LAN ports together, disable bridged member filtering and enabling bridge filtering

      And here I am with a strange issue.

      My computer gets disconnected from the WLAN network every single minute.
      I found out this had to do with WPA rekeying, here's a sample output from my wirelss log:

      
      Time	Process	PID	Message
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 2 notification
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.11: disassociated
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf MLME: MLME-DELETEKEYS.request(30:75:12:xx:xx:xx)
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf MLME: MLME-DEAUTHENTICATE.indication(30:75:12:xx:xx:xx, 2)
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 3 notification
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: PTKSTART: Retry limit 4 reached
      Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
      Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
      Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
      Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
      Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
      Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
      Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
      Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
      Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
      Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
      Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
      Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
      Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: start authentication
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 1 notification
      Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.11: associated
      Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: group key handshake completed (RSN)
      Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: received EAPOL-Key frame (2/2 Group)
      Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: sending 1/2 msg of Group Key Handshake
      Jun 17 17:15:57	hostapd		run0_wlan0: WPA rekeying GTK
      
      

      If I happen to remove the WLAN interface from the bridge and add a static IP, I can use it without problems.
      If I happen to leave it in the bridge but disable WPA encryption, I can use it without problems too.

      I thought this might come from the run wlan driver, so I tried to change the mini PCIE card without luck. No other card (tried two known working atheros cards) are recognized. It seems that only the PCIE/USB integrated card works (which is this one: https://wikidevi.com/wiki/AzureWave_AW-NU706H ).

      Any clues of what I can do to get my setup with a nice WLAN bridge ?

      Regards,
      Ozy.

      PS: I usually go for SG 2440 or SG 4860 units, but this is for my home and should as small as possible.

      NetPOWER.fr - some opensource stuff for IT people

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        I just do not get the fascination of bridging your wifi to lan..  If what you want is your wifi on the same network as your lan why do you not just get a AP and plug it into your lan network.

        But why do you think you need your wifi on the same network as your lan?  Why can it not be its own network segment?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          deajan
          last edited by

          Well, convenience, not having to set up routes between networks, no double config.
          I could get an AP, sure, but my setup is like 10x10x4cm and would double / triple it's size.

          Anyway, I understand why you are saying this, but the BRIDGE / WPA bug remains the same.

          Anyone please ?

          NetPOWER.fr - some opensource stuff for IT people

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "would double / triple it's size."

            Huh??  If you got a real AP I would suggest you mount it for proper wifi coverage.  So it would have nothing to with the size of the box your running pfsense on.

            Why do you think you need to setup routes?  Pfsense knows how to route between networks its directly attached too.. So no extra setup there.  Yes you would have to create firewall rule.  But since you don't seem to care that your devices are on the same network anyway.  Just make your rule any any, and there you go - one time 2 seconds of setup.

            Your issues are self inflected if you ask me.. Not going to go through all the hassle of trying to duplicate your issue, which is going to be very common around here because anyone that has a clue to what their doing doesn't setup bridge between their wifi and their lan ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              deajan
              last edited by

              @johnpoz:

              anyone that has a clue to what their doing doesn't setup bridge between their wifi and their lan ;)

              Well then, ALL home routers are doomed it seems as they generally bridge LAN/WLAN :)
              I use pfSense a lot in business where I do have specific WLAN rules, external APs and captive portals, but this is my home setup.
              My earlier machine bridged LAN/WLAN perfectly since pfSense 2.0-beta release.

              I am not the only one who encountered this problem it seems on this forum, so investigating would probably not be so bad.
              I do understand that you don't want to bridge, but IMHO it's a neat feature to have at home.

              NetPOWER.fr - some opensource stuff for IT people

              1 Reply Last reply Reply Quote 0
              • D
                deajan
                last edited by

                Reply to myself:

                The run(4) driver isn't particulary stable with my RT3070 mini pci-e usb wlan interface.
                I get some "device timeout" messages, then I have to disable / enable the interface for the wlan to work again.
                Might be the reason the bridge doesn't work as expected.

                Problem: the mini computer I bought has a mini PCI-E port that only supports USB devices (!?!), I've tried with some other mini PCI-E wlan cards that weren't detected at all by the system.

                So for whoever plans to buy a J1900 pfsense box from pondesk, please bear in mind that the WLAN is crap and you cannot change it.

                NetPOWER.fr - some opensource stuff for IT people

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "ALL home routers are doomed"

                  Who said that, you will always have the clueless masses buy the next shiny box the makers put out that has a higher number on it for "wifi" speed..  More antenna's – damn straight users will buy this..

                  This doesn't even have support for vlans..  But does it look cool ;)  And hey its says on the box "Wi-Fi speeds up to 5.3 Gbps*" do you think the user reads the little *..  Retails for $400 - love the specs on its range.. "Large Home" ;)

                  "I do understand that you don't want to bridge, but IMHO it's a neat feature to have at home"

                  Neat feature for what reason?  What does it get you??  What exactly is the advantage of having your wifi devices on the same layer 2 as all your other devices? The pfsense store has pulled the ability to order wifi cards for their appliances.. Long time coming if you ask me.  They suggest you buy actual AP for your wfi.. If you want that on same layer 2 there you go plug it into that network and away you go..

                  The one thing I would hope to see in future home routers is ability to better isolate different devices.. You really want that china iot toaster you got on the same network as everything else in your home?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • D
                    deajan
                    last edited by

                    I'm talking about the basic wifi router "box" your ISP gives you for the home.
                    I use to put them in modem-bridge mode with a pfSense behind if they support bridge, but a lot of people won't do that.

                    In my case I do need routing between the different networks (LAN & WLAN) as a couple of my boxes on the LAN use OpenVPN and need a "route add" directive to be able to talk with my laptop that administrates them.

                    Anyway, this isn't a discussion of why I want to bridge LAN-WLAN, but I think that the pfSense team maybe could mention that this setup isn't stable depending on the wlan driver used.

                    Regards,
                    Ozy.

                    NetPOWER.fr - some opensource stuff for IT people

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      why do you need routing?  Like I said pfsense will already know how to route between your different segments that are attached to pfsense.

                      If your going to run a vpn client on the box in the lan with some sort of default route to the vpn, then sure you would need a route statement on that box telling it to use pfsense IP in its segment to get to other segments in pfsense.

                      You would only need a route on pfsense if you needed to get to some downstream network.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.