Cant get new AP working
-
Hi all,
I cant figure out what is going on here. I've been running the latest release of PFSense for a while now. Had an access point connected directly to one of my ports on my PFSense. This worked fine. Never had any issues except for the wifi range. (not PFSense fault)
So recently I purchased another access point (by access point I mean typical home/wifi router) to try and solve my range issue.
I started having connectivity issues almost instantly. So started troubleshooting with the vendor but without any luck. As far as they could tell the router should act as an access point just fine in my setup. So without being able to solve my issue I have purchased yet another new home router. Still have the exact same issues…
The below are common on both new devices:
I've gone into the router and disabled DHCP and set a static IP. Setup appropriate SSID...etc.
When I first power on either of the new "access points" my wifi seems to work. After lets say 30 seconds or less it will stop. The wifi signal is there but it would appear (as best I can tell) that PFSense is now blocking traffic.
If I log into PFSense (via LAN connection) I don't see anything that strikes me as being blocked or off.
If I disabled the interface for my wifi and then enable it again 'sometimes' this allows wifi traffic briefly.
If I plug my older access point back in (the one with the range issues) it will work flawlessly.
Anyone have any ideas where things are going wrong?
-
pfSEnse, Home router, access point ?
What is lined up to what ?Did you read https://forum.pfsense.org/index.php?topic=122969.0 ?
When you buy a AP, it is in router mode. An AP behind pfSEnse should not be sued in router mode. Just AP mode.
Do not use the "WAN' plug if it has one (to be sure - just one of the LAN "ports" to cable it to pfSense.)
If the IP of pfSEnse is 192.168.1.1, give your AP this static IP : 192.168.1.2 (and DNS = 192.168.1.1 - gateway 192.168.1.1).
TURN OF the AP DHCP server (you should understand why).
Etc etc. -
"When you buy a AP, it is in router mode."
I wouldn't word it like that.. Can tell you for FACT that if you buy an actual AP it sure and the hell is not in any "router" mode ;)
Now if you buy a wifi router, and you want to use it as just an AP, then yes you need to do few things.
Knowing what the user is working with when he says AP is key, and how everything is connect for sure helps as well.
-
pfSEnse, Home router, access point ?
What is lined up to what ?Did you read https://forum.pfsense.org/index.php?topic=122969.0 ?
When you buy a AP, it is in router mode. An AP behind pfSEnse should not be sued in router mode. Just AP mode.
Do not use the "WAN' plug if it has one (to be sure - just one of the LAN "ports" to cable it to pfSense.)
If the IP of pfSEnse is 192.168.1.1, give your AP this static IP : 192.168.1.2 (and DNS = 192.168.1.1 - gateway 192.168.1.1).
TURN OF the AP DHCP server (you should understand why).
Etc etc."When you buy a AP, it is in router mode."
I wouldn't word it like that.. Can tell you for FACT that if you buy an actual AP it sure and the hell is not in any "router" mode ;)
Now if you buy a wifi router, and you want to use it as just an AP, then yes you need to do few things.
Knowing what the user is working with when he says AP is key, and how everything is connect for sure helps as well.
Hi all,
Thanks a lot for your replies.
I thought I had illustrated what I was running/doing but let me try again to confirm. :)
I have a home router/wifi appliance. (tried two now)
I am not using the WAN port, just the lan ports :)
I have just 1 LAN port connected directly to my PFSense via CAT6
The router and PFSense have an IP in the same subnet.10.10.250.1 /29 = PFSense
10.10.250.4 /29 = Wifi RouterDHCP is hosted on PFSense on 10.10.250.1 and this does appear to work in the short time the internet actually works.
I've further confirmed DHCP by also plugging a laptop directly into the wifi router's LAN port (while the wifi router is still also connected to PFSense) and the laptop is able to get an IP from PFSense. The laptop also loses internet access not long after similar to what I see when using wireless.
I've turned off DHCP on the wifi router.
I've even tried turning off other features (that should really only apply to the WAN port) such as NAT and firewall like stuff on the wifi router.I should also mention that my interface on PFSense has very little PF firewall rules. There is a default ipv4 allow any any within this. With the other rules just denying access to other networks on PFSense.
I have noticed that I do see various IPv6 notices in the logs and these are being blocked. I do still see messages like this with the working AP connected as well so not sure if this would still be related. None of my interfaces on PFSense are configured with any IPv6 settings. They are all marked with NONE.
Anyway thanks again for your help. If you have any ideas on what I can do that would be great!
Cheers!
-
"The laptop also loses internet access not long after similar to what I see when using wireless."
Well that has ZERO to do with wireless.. Your just using your wifi routers (as AP) switch ports as a downstream switch when you connect a device to on of its other lan ports.
So your saying internet works, and then stops.. Well what actually stops, can you not ping pfsense IP?? 10.10.250.1
So normally users use huge networks, ie /16 /8 – using a /29.. So you only have a couple of devices ;) Great..
But lets forget wifi completely here for a bit, since your saying when you wire a device to the switch port of your wifi router, you get an IP from pfsense dhcp. You can use internet - but then this internet stops working.
So can you still ping pfsense IP, can you still resolve stuff? I assume your using pfsense as your dns?
But all your other devices are working?? Post up your rules that your wifi router is connected too
"There is a default ipv4 allow any any within this. With the other rules just denying access to other networks on PFSense. "Its quite possible your internet problems are related to ipv6, clients want to use IPv6 if they get an IPv6 address. If your IPv6 is broken, or not setup but your client is getting IPv6 that it tries to use then sure it can look like internet is broken.
from your client ping pfsense IPv4 address.. Does this work? From cmd line on this client do a query or ping for some fqdn?? Does it resolve? Can you ping some ipv4 address on the internet? Ie your isp gateway, 8.8.8.8 ??
-
"The laptop also loses internet access not long after similar to what I see when using wireless."
Well that has ZERO to do with wireless.. Your just using your wifi routers (as AP) switch ports as a downstream switch when you connect a device to on of its other lan ports.
So your saying internet works, and then stops.. Well what actually stops, can you not ping pfsense IP?? 10.10.250.1
So normally users use huge networks, ie /16 /8 – using a /29.. So you only have a couple of devices ;) Great..
But lets forget wifi completely here for a bit, since your saying when you wire a device to the switch port of your wifi router, you get an IP from pfsense dhcp. You can use internet - but then this internet stops working.
So can you still ping pfsense IP, can you still resolve stuff? I assume your using pfsense as your dns?
But all your other devices are working?? Post up your rules that your wifi router is connected too
"There is a default ipv4 allow any any within this. With the other rules just denying access to other networks on PFSense. "Its quite possible your internet problems are related to ipv6, clients want to use IPv6 if they get an IPv6 address. If your IPv6 is broken, or not setup but your client is getting IPv6 that it tries to use then sure it can look like internet is broken.
from your client ping pfsense IPv4 address.. Does this work? From cmd line on this client do a query or ping for some fqdn?? Does it resolve? Can you ping some ipv4 address on the internet? Ie your isp gateway, 8.8.8.8 ??
Hi there,
Thanks for your reply.
So I'm still thinking there is confusion as to how things are connected. See attached. :)
Basically I have done:
1. Tried connectivity from a wifi connection - symptom I mentioned above was that everything appears to work fine for about 30 seconds. After that all network connectivity stops (except for the actual wifi pairing). I cannot ping PFSense, or Google (8.8.8.8) or do anything really.
2. Tried connectivity from the same DHCP pool as the wifi clients use. I did this by connecting into the wifi router and using the switch ports. I saw the same situation happen. I could connect and got internet access fine. After about 30 seconds I lost all network connectivity except for the physical connection. No ping…etc same as wifi.
Forgot to also mention that once internet stops, I have to then disable the interface on PFSense connected to the wireless router and then re: enabled. Even this does not always work.
Is there a way I can confirm IPv6 more? I don't use this and if I can ensure the same is on PFSense this can be removed from the situation. I'm not sure where the IPv6 IP would come from as there is no DHCP server with this setup.
I've also added the wireless rules (screen shot, not sure how else to share)
Cheers!
 -
"So I'm still thinking there is confusion as to how things are connected. See attached."
No I understood what you said you connected your laptop to a lan port on your wifi router your using as AP, so those ports become a downstream switch is all. If your saying that is stopping from working that has ZERO do to with the wifi portion of the router..
If you can not ping pfsense from your laptop connect to switch that is connect to pfsense which what you have.. Then you have either something wrong with that port, or something wrong with the switch (of your wifi router) or something wrong with your laptop..
So looking at your rules.. They don't make a lot of sense.
You stated that this network is only a /29
10.10.250.1 /29 = PFSense
10.10.250.4 /29 = Wifi RouterBut then you have a rule to 10.10.100.1 - what is that? Is that another interface of pfsense a different device on a different segment? Which ok.. That rule could work, but if its too a specific interface to pfsense - what about its other interfaces like its wan IP or other segment(s).. That rule doesn't stop access to those IPs. Says no ssh management. But your any any rule at the bottom allows anything to go to say 10.10.250.1 for ssh on pfsense, etc.
But these rules that have source 10.10.250.11 and .12 ?? Huh? You stated your on a /29 so those devices are NOT on that network.. Do you have a downstream router somewhere?? 10.10.250.0/29 gives you .1 through .6 as IPs, with .7 being broadcast. .11 and .12 are not on that network.
If you can not ping the ipv4 address of pfsense it has ZERO to do with ipv6..
-
My apologies. I'm not sure why I was thinking /29 when I wrote this. :P Explains why you were saying a few hosts… :)
To correct myself:
Direct from my DHCP pool:
Subnet
10.10.250.0
Subnet mask
255.255.255.192 or /26
Available range
10.10.250.1 - 10.10.250.62The 10.10.100.1, yes it is a different network interface. Actually this looks like the firewall rule did get a little messed up. I had earlier on tried changing the network block/IPs to see if that would solve my issue (nope) and I guess this got somehow changed or happened when I restored my configuration (changed from 32bit to 64bit to try that) in any case I have changed it to reflect the correct interface (10.10.250.1)
My thought on ipv6 was that if ping is trying to use ping6 instead but that would really be silly if the wireless routers were forcing ipv6 while having an ipv4 ip.
Cheers!
-
There is no forcing of ipv6.. While yes many OS prefer ipv6 over ipv4 and will try that if they believe they have an address. Can can cause you issues for sure.
If you can not ping the ipv4 address of pfsense wired.. Then you need to fix that issue before you even look at what could be wrong with wifi. My guess would be once you fix your issue with your wired then your wifi will work fine.
Can you ping other things.. So for example with your laptop can you ping the wifi routers IP? When you can ping pfsense IP?
-
There is no forcing of ipv6.. While yes many OS prefer ipv6 over ipv4 and will try that if they believe they have an address. Can can cause you issues for sure.
If you can not ping the ipv4 address of pfsense wired.. Then you need to fix that issue before you even look at what could be wrong with wifi. My guess would be once you fix your issue with your wired then your wifi will work fine.
Can you ping other things.. So for example with your laptop can you ping the wifi routers IP? When you can ping pfsense IP?
Hi there,
So I did some more testing. I added various firewall rules with LOG on to allow things like DNS, DHCP, and ICMP explicitly from my wireless network to my wireless network. Still don't see anything abnormal. As soon as I switched from the working access point to the new one I could see DNS hitting my DNS rule. Ping from my laptop also worked although it did seem a bit iffy every few packets seemed to drop. This time it did seem to stay working for 15 minutes or so but wireless connectivity through my phone was really slow and eventually everything stopped working again.
I do also notice that this interface is listed as MASTER where none of my other interfaces are.
All my other interfaces are listed just as: 1000baseT <full-duplex>Where the wireless one shows this: 1000baseT <full-duplex,master>Not sure if this would have anything to do with it?
As for ping. If I set a static IP on my laptop I can ping the access point fine. No issues. But pinging 8.8.8.8 or 10.10.250.1 do not work after a bit. Even now after resetting the interface it still appears broken. Seems almost random if it will work or not.
Tried disabling PF (pfctl -d) and still nothing so I don't believe this is a firewall issue.
Thoughts?</full-duplex,master></full-duplex>
-
I don't see any mention of make model of the AP router..
Reason I mention is that the last few Linksys routers I have purchased for AP's have a "Bridge" mode you can set on the WAN that effectively makes the unit an AP/switch only. Its a one click fix.
Helps if the loose nut behind the wheel missed something.
-
Master?? So yo have a carp setup? You said nothing of a carp setup..
You clearly F'd up something.. This is out of the box stuff. Do you have some sort of switching loop? You say your running other networks on your other interfaces.. Where do you plug those? And what is your wan plugged into?
-
Hi all sorry for the late reply. Bit busy with holidays…etc. :)
I don't see any mention of make model of the AP router..
Reason I mention is that the last few Linksys routers I have purchased for AP's have a "Bridge" mode you can set on the WAN that effectively makes the unit an AP/switch only. Its a one click fix.
Helps if the loose nut behind the wheel missed something.
I left out the make and model as I've tried two completely different manufactures with the exact same result.
Since you asked:
1. TP-Link Archer 2600
2. Amped Athena RTA2600I can check for bridge mode and the likes once I have some time.
Master?? So yo have a carp setup? You said nothing of a carp setup..
You clearly F'd up something.. This is out of the box stuff. Do you have some sort of switching loop? You say your running other networks on your other interfaces.. Where do you plug those? And what is your wan plugged into?
I have not setup any CARP features. As far as I know each interface is acting as a standalone interface.
Checking CARP status I see this:
No CARP interfaces have been defined. High availability sync settings can be configured here. and clicking the above nothing appears configuredAll other networks are plugged directly into their own interface on PFSense. There are no VLAN's…etc configured either.
The WAN is plugged directly into my CPE/Modem. PFSense initiates and authenticates the connection. (that works fine, wired connections or older AP have no issues)
One thing I have noticed now is that the "working" AP (D-link DAP-1650) the interface configures itself as 100baseTX <full-duplex>instead of 1000base. The AP LAN ports are all gigabit rated. I'm wondering if this could be why the newer AP's are having issue? Could there be some hardware related issue with the NIC? Ex maybe some driver issue with using gigabit?
For reference the interfaces are listed as RE0/RE1/RE2...
Thoughts?</full-duplex>
-
"I have not setup any CARP features. As far as I know each interface is acting as a standalone interface. "
Then why is your interface showing "master" I do not have a lot of experience with CARP.. But your interface should not list master if you do not have carp setup.. Did you try to set it up in the past and then removed it..
"All other networks are plugged directly into their own interface on PFSense"
And you don't have any loops in this sort of setup?? None of your interfaces plug into the same dumb switch, or wifi routers your using as AP none of their lan ports are connected to other lan ports on other AP? Or connected to some common device that could be bridging?
Your not trying to link any of your wifi together that could also cause a loop.
-
Yes, your problem is related to realtek drivers included into freebsd. Use google and you will find the answer.
Solution is to change link speed to 100 or you must compile and add new realtek driver into pfsense.
https://forums.freebsd.org/threads/55861/ -
@w0w:
Yes, your problem is related to realtek drivers included into freebsd. Use google and you will find the answer.
Solution is to change link speed to 100 or you must compile and add new realtek driver into pfsense.
https://forums.freebsd.org/threads/55861/That's a shame. I'm thinking I will probably just try upgrading to a newer appliance in the near future anyway. Thanks for the info!
Cheers!
-
So just to update you all.
I took apart my atom box and found a PCI slot. Stuck an intel based gig card in there and it worked perfectly with my wifi. So confirmed it was the Realtek NIC's causing the issue.
Thanks all for taking the time to try and help. Will likely upgrade to a faster box at some point in the future with intel nics but for now PCI card is doing fine. :)
