Wireless interface & Bridge weirdness

deajan

Hello,

I'm changing my old VIA C7 pfSense box to a newer (and cheap) all integrated model (see http://www.pondesk.com/product/Intel-J1900-4-LAN-NIC-Firewall-Router-WiFi-Fanless-Mini-PC_MNHO-022 ).

I've setup my system the same way I usually do:
bridge WLAN + LAN ports together, disable bridged member filtering and enabling bridge filtering

And here I am with a strange issue.

My computer gets disconnected from the WLAN network every single minute.
I found out this had to do with WPA rekeying, here's a sample output from my wirelss log:

Time	Process	PID	Message
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 2 notification
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.11: disassociated
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf MLME: MLME-DELETEKEYS.request(30:75:12:xx:xx:xx)
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf MLME: MLME-DEAUTHENTICATE.indication(30:75:12:xx:xx:xx, 2)
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 3 notification
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: PTKSTART: Retry limit 4 reached
Jun 17 17:16:04	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
Jun 17 17:16:03	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
Jun 17 17:16:02	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
Jun 17 17:16:01	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: EAPOL-Key timeout
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: invalid MIC in msg 2/4 of 4-Way Handshake
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: received EAPOL-Key frame (2/4 Pairwise)
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: sending 1/4 msg of 4-Way Handshake
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.1X: unauthorizing port
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: start authentication
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf WPA: event 1 notification
Jun 17 17:16:00	hostapd		run0_wlan0: STA 30:75:12:82:1f:cf IEEE 802.11: associated
Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: group key handshake completed (RSN)
Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: received EAPOL-Key frame (2/2 Group)
Jun 17 17:15:57	hostapd		run0_wlan0: STA e0:94:67:56:fb:44 WPA: sending 1/2 msg of Group Key Handshake
Jun 17 17:15:57	hostapd		run0_wlan0: WPA rekeying GTK

If I happen to remove the WLAN interface from the bridge and add a static IP, I can use it without problems.
If I happen to leave it in the bridge but disable WPA encryption, I can use it without problems too.

I thought this might come from the run wlan driver, so I tried to change the mini PCIE card without luck. No other card (tried two known working atheros cards) are recognized. It seems that only the PCIE/USB integrated card works (which is this one: https://wikidevi.com/wiki/AzureWave_AW-NU706H ).

Any clues of what I can do to get my setup with a nice WLAN bridge ?

Regards,
Ozy.

PS: I usually go for SG 2440 or SG 4860 units, but this is for my home and should as small as possible.

johnpoz

I just do not get the fascination of bridging your wifi to lan..  If what you want is your wifi on the same network as your lan why do you not just get a AP and plug it into your lan network.

But why do you think you need your wifi on the same network as your lan?  Why can it not be its own network segment?

deajan

Well, convenience, not having to set up routes between networks, no double config.
I could get an AP, sure, but my setup is like 10x10x4cm and would double / triple it's size.

Anyway, I understand why you are saying this, but the BRIDGE / WPA bug remains the same.

Anyone please ?

johnpoz

"would double / triple it's size."

Huh??  If you got a real AP I would suggest you mount it for proper wifi coverage.  So it would have nothing to with the size of the box your running pfsense on.

Why do you think you need to setup routes?  Pfsense knows how to route between networks its directly attached too.. So no extra setup there.  Yes you would have to create firewall rule.  But since you don't seem to care that your devices are on the same network anyway.  Just make your rule any any, and there you go - one time 2 seconds of setup.

Your issues are self inflected if you ask me.. Not going to go through all the hassle of trying to duplicate your issue, which is going to be very common around here because anyone that has a clue to what their doing doesn't setup bridge between their wifi and their lan ;)

deajan

@johnpoz:

anyone that has a clue to what their doing doesn't setup bridge between their wifi and their lan ;)

Well then, ALL home routers are doomed it seems as they generally bridge LAN/WLAN :)
I use pfSense a lot in business where I do have specific WLAN rules, external APs and captive portals, but this is my home setup.
My earlier machine bridged LAN/WLAN perfectly since pfSense 2.0-beta release.

I am not the only one who encountered this problem it seems on this forum, so investigating would probably not be so bad.
I do understand that you don't want to bridge, but IMHO it's a neat feature to have at home.

deajan

Reply to myself:

The run(4) driver isn't particulary stable with my RT3070 mini pci-e usb wlan interface.
I get some "device timeout" messages, then I have to disable / enable the interface for the wlan to work again.
Might be the reason the bridge doesn't work as expected.

Problem: the mini computer I bought has a mini PCI-E port that only supports USB devices (!?!), I've tried with some other mini PCI-E wlan cards that weren't detected at all by the system.

So for whoever plans to buy a J1900 pfsense box from pondesk, please bear in mind that the WLAN is crap and you cannot change it.

johnpoz

"ALL home routers are doomed"

Who said that, you will always have the clueless masses buy the next shiny box the makers put out that has a higher number on it for "wifi" speed..  More antenna's – damn straight users will buy this..

This doesn't even have support for vlans..  But does it look cool ;)  And hey its says on the box "Wi-Fi speeds up to 5.3 Gbps*" do you think the user reads the little *..  Retails for $400 - love the specs on its range.. "Large Home" ;)

"I do understand that you don't want to bridge, but IMHO it's a neat feature to have at home"

Neat feature for what reason?  What does it get you??  What exactly is the advantage of having your wifi devices on the same layer 2 as all your other devices? The pfsense store has pulled the ability to order wifi cards for their appliances.. Long time coming if you ask me.  They suggest you buy actual AP for your wfi.. If you want that on same layer 2 there you go plug it into that network and away you go..

The one thing I would hope to see in future home routers is ability to better isolate different devices.. You really want that china iot toaster you got on the same network as everything else in your home?

deajan

I'm talking about the basic wifi router "box" your ISP gives you for the home.
I use to put them in modem-bridge mode with a pfSense behind if they support bridge, but a lot of people won't do that.

In my case I do need routing between the different networks (LAN & WLAN) as a couple of my boxes on the LAN use OpenVPN and need a "route add" directive to be able to talk with my laptop that administrates them.

Anyway, this isn't a discussion of why I want to bridge LAN-WLAN, but I think that the pfSense team maybe could mention that this setup isn't stable depending on the wlan driver used.

Regards,
Ozy.

johnpoz

why do you need routing?  Like I said pfsense will already know how to route between your different segments that are attached to pfsense.

If your going to run a vpn client on the box in the lan with some sort of default route to the vpn, then sure you would need a route statement on that box telling it to use pfsense IP in its segment to get to other segments in pfsense.

You would only need a route on pfsense if you needed to get to some downstream network.